EzCad .ezd parsing the pens

My notes on parsing the EZD Cad 2 format and accessing the pen information for regular and Q/MOPA types.

The key part is getBasePtr () + the offset

    1. base = (uint32_t*)(dataBuffer->data() + 0x160 );
    2. dataBuffer->data() + baseOffset + SPEED_MM_OFFSET

start of file + baseOffset + value you want to read/write

These are the offsets
this is a pointer to an offset where the pens/data so baseOffset+this

offset of the parameter name NAME_OFFSET ( 8UL )
this is the length of the first name of the .ezd i started with
NAME_LENGTH ( 0x10 )


unsigned long here Q_OFFSET ( 0x3c )

double here
Q_OFFSET_2 ( 0x3c+0xa0 ) START_TC_OFFSET ( 0x44 ) LASER_OFF_OFFSET ( 0xCC ) END_TC_OFFSET ( 0x4c ) POLYGON_TC_OFFSET ( 0x54 )

#pragma once

// so far, we no longer need this since it moves
// ezcad version 2.14.11
#define BASE_POINTER (0x27300)

// some test ezd files I found on the web
//#define BASE_POINTER (0x464)

enum {
	COL_RGB = 2,
	COL_Q = 9,
	COL_END_TC = 12,
	MAX_COLS = 14

#define MAX_PEN				( 256 )

#define	DATA_PENS_OFFSET		( 0x160 )	// this is a pointer to an offset where the pens/data is 
#define	NAME_OFFSET			( 8UL )		// offset of the parameter name
#define	NAME_LENGTH			( 0x10 )	// this is the length of the first name of the .ezd i started with
#define USE_DEFAULT_OFFSET		( 0x0c + 8 )
#define USE_ON_OFF_OFFSET		( 0x0c )
#define LOOP_COUNT_OFFSET		( 0x14 )
#define SPEED_MM_OFFSET			( 0x1c )
#define POWER_OFFSET			( 0x28 )
#define FREQUENCY_OFFSET		( 0x34 )
#define Q_OFFSET			( 0x3c )	// unsigned long here
#define Q_OFFSET_2			( 0x3c+0xa0 )	// double here
#define START_TC_OFFSET			( 0x44 )
#define LASER_OFF_OFFSET		( 0xCC )
#define END_TC_OFFSET			( 0x4c )
#define POLYGON_TC_OFFSET		( 0x54 )

class EZD {

	uint16_t	penID;

	// start of pen data
	size_t	basePointer;

	// offset of data after the Parameter string
	uint64_t	baseOffset;

	std::string* dataBuffer = NULL;

	size_t parameter_length;

	~EZD() {
	EZD() : baseOffset(0),basePointer(0), penID(0) ,parameter_length(0) {


	EZD(size_t basePtr, uint16_t pen, std::string& data) : EZD() {

		/// whole EZD file
		dataBuffer = &data;

		// start of pen data
		basePointer = basePtr;

		// length of unicode parameter string in bytes
		parameter_length = dataBuffer->at(basePointer + 4);

		// rebases a pointer to after the unicode string .
		// 8 is the offset of the Unicode string
		baseOffset = 
			(size_t)(basePointer + NAME_OFFSET + parameter_length);
		penID = pen;

	// returns the address of the last byte in the block
	size_t EndOfBlock()
		// 0x27c is the size of a block with 0x10 length of the "default" string
		return basePointer + parameter_length + (0x27c - 0x10);

	// these are before the unicode string so are only affected by the basePointer
	void R(uint8_t r) { dataBuffer->at(basePointer) = r; };
	void G(uint8_t g) { dataBuffer->at(basePointer + 1) = g; };
	void B(uint8_t b) { dataBuffer->at(basePointer + 2) = b; };

	uint8_t R() { return dataBuffer->at(basePointer); };
	uint8_t G() { return dataBuffer->at(basePointer + 1); };
	uint8_t B() { return dataBuffer->at(basePointer + 2); };

	uint32_t GetRGB() {
		uint32_t rgb;
		rgb = RGB(R(), G(), B());
		return rgb;


	void SetRGB(uint8_t r, uint8_t g, uint8_t b) {


	void SetRGB(COLORREF r) {
		uint32_t rgb;
		rgb = (uint32_t)r;


	// these are before the unicode string so are only affected by the basePointer
	CString Parameter() {

		// ugly way to do a unicode string...
		std::wstring data;

		// check that we were able to actually read a string length
		if (parameter_length == 0) {
			return CString(_T("NA"));

		// resize our string to match

		// fetch ptr to it
		unsigned char* p = (unsigned char*)dataBuffer->data() + basePointer + 8;

		// check results
		if (p == 0) {
			return CString(_T("NA"));

		char* d = (char*)data.data();

		// check results
		if (d == 0) return CString(_T("NA"));

		//copy over string data

		return CString(data.c_str());

	// these are before the unicode string so are only affected by the basePointer
	std::wstring Parameter(CString value) {

		// ugly way to do a unicode string...
		std::wstring data( value);

		// check that we were able to actually read a string length
		if (parameter_length == 0) {
			return std::wstring(_T(""));

		// resize our string to match the length store, its a hassle to rewrite the whole file for this otherwise

		// fetch ptr to it
		unsigned char* p = (unsigned char*)dataBuffer->data() + basePointer + 8;

		// check results
		if (p == 0) {
			return std::wstring(_T(""));

		char* d = (char*)data.data();

		// check results
		if (d == 0) return std::wstring(_T(""));

		//copy over string data

		return data;

	// these are afer the unicode string so are only affected by the basePointer and the length of the unicode string
	uint8_t UseDefault() {
		uint64_t offset = basePointer + USE_DEFAULT_OFFSET + parameter_length;
		uint8_t* b = (uint8_t*)(dataBuffer->data() + offset);
		return *b;

	// only verifys its 0 or 1
	bool UseDefault(uint8_t value) {

		if ((value != 0) && (value != 1)) {
			return false;

		uint64_t offset = basePointer + USE_DEFAULT_OFFSET + parameter_length;
		uint8_t* b = (uint8_t*)(dataBuffer->data() + offset);
		*b = value;

		return true;

	// these are afer the unicode string so are only affected by the basePointer and the length of the unicode string
	uint8_t OnOff() {
		uint64_t offset = basePointer + USE_ON_OFF_OFFSET + parameter_length;
		uint8_t* b = (uint8_t*)(dataBuffer->data() + offset);
		return *b;

	// only verifys its 0 or 1
	bool OnOff(uint8_t value) {

		if ((value != 0) && (value != 1)) {
			return false;

		uint64_t offset = basePointer + USE_ON_OFF_OFFSET + parameter_length;
		uint8_t* b = (uint8_t*)(dataBuffer->data() + offset);
		*b = value;

		return true;

	uint32_t getBasePtr() {
		uint32_t* base;
		base = (uint32_t*)(dataBuffer->data() + 0x160 );
		return *base;


	uint32_t LoopCount() {
		uint32_t* loop;
		loop = (uint32_t*)(dataBuffer->data() + baseOffset + LOOP_COUNT_OFFSET);
		return (uint32_t)*loop;
	bool LoopCount(uint32_t value) {

		if (value < ezdConfig.LoopCountMin || value > ezdConfig.LoopCountMax) {
			return false;

		uint32_t* loop;
		loop = (uint32_t*)(dataBuffer->data() + baseOffset + LOOP_COUNT_OFFSET);
		*loop = value;

		return true;

	double SpeedMM() {
		double* speed;
		speed = (double*)(dataBuffer->data() + baseOffset + SPEED_MM_OFFSET);
		return *speed;

	bool SpeedMM(double val) {
		//reject OOB
		if (val < ezdConfig.SpeedMMMin || val > ezdConfig.SpeedMMMax) {
			return false;

		double* speed;
		speed = (double*)(dataBuffer->data() + baseOffset + SPEED_MM_OFFSET);
		*speed = val;
		return true;

	double Power() {
		double* power;
		power = (double*)(dataBuffer->data() + baseOffset + POWER_OFFSET);
		return *power;

	bool Power(double val) {
		double* power;

		//reject OOB
		if (val <ezdConfig.PowerMin|| val > ezdConfig.PowerMax) {
			return false;

		power = (double*)(dataBuffer->data() + baseOffset + POWER_OFFSET);
		*power = val;
		return true;

	double Frequency() {
		uint32_t* frequency;
		frequency = (uint32_t*)(dataBuffer->data() + baseOffset + FREQUENCY_OFFSET);
		return (double)(*frequency) / 1000.0;

	bool Frequency(double val) {

		//reject OOB
		if (val < ezdConfig.FrequencyMin || val > ezdConfig.FrequencyMax) {
			return false;

		uint32_t* frequency;
		frequency = (uint32_t*)(dataBuffer->data() + baseOffset + FREQUENCY_OFFSET);
		uint32_t t = (uint32_t)(val * 1000.0);
		(*frequency) = t;

		return true;

	int32_t StartTC() {
		int32_t* temp;
		temp = (int32_t*)(dataBuffer->data() + baseOffset + START_TC_OFFSET);

		return *temp;

	bool StartTC(int32_t val) {
		//reject OOB
		if (val < ezdConfig.StartTCMin || val > ezdConfig.StartTCMax) {
			return false;
		int32_t* temp;
		temp = (int32_t*)(dataBuffer->data() + baseOffset + START_TC_OFFSET);
		*temp = val;
		return true;

	uint32_t LaserOff() {
		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + LASER_OFF_OFFSET);

		return *temp;

	bool LaserOff(uint32_t val) {
		//reject OOB
		if (val < ezdConfig.LaserOffMin || val > ezdConfig.LaserOffMax) {
			return false;

		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + LASER_OFF_OFFSET);
		*temp = val;

		return true;

	uint32_t EndTC() {
		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + END_TC_OFFSET);

		return *temp;

	bool EndTC(uint32_t val) {
		//reject OOB
		if (val < ezdConfig.EndTCMin || val > ezdConfig.EndTCMax) {
			return false;

		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + END_TC_OFFSET);
		*temp = val;

		return true;


	uint32_t PolygonTC() {
		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + POLYGON_TC_OFFSET);

		return *temp;

	bool PolygonTC(uint32_t val) {
		//reject OOB
		if (val < ezdConfig.PolygonTCMin|| val > ezdConfig.PolygonTCMax) {
			return false;

		uint32_t* temp;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + POLYGON_TC_OFFSET);
		*temp = val;

		return true;

	uint32_t Q() {
		uint32_t* temp;
		double* temp1;
		temp = (uint32_t*)(dataBuffer->data() + baseOffset + Q_OFFSET);
		temp1 = (double*)(dataBuffer->data() + baseOffset + Q_OFFSET_2);

		return *temp;

	bool Q(uint32_t val) {

		//reject OOB
		if (ezdConfig.QMin < 0 || val > ezdConfig.QMax) {
			return false;

		uint32_t* temp;
		double* temp1;

		temp = (uint32_t*)(dataBuffer->data() + baseOffset + Q_OFFSET);
		temp1 = (double*)(dataBuffer->data() + baseOffset + Q_OFFSET_2);

		*temp = val;
		*temp1 = double(val);

		return true;

decode .upd files

just a very quick post on how to decode a chinese laser cutter firmware update file 644 etc

#include <iostream>
#include <fstream>
#include <vector>

uint8_t decode(uint8_t updByte)
     return (((uint8_t)(updByte – 1) ^ 0x88) << 7) |
         (( uint8_t)((updByte – 1) ^ 0x88) >> 7) |
         ((updByte – 1) ^ 0x88) & 0x7E;

int main(int argc, char* argv[])
     if (argc < 3) {
         return -1;

    std::ifstream updFile(argv[1], std::ios::binary | std::ios::ate);
     std::streamsize size = updFile.tellg();
     updFile.seekg(0, std::ios::beg);

    std::vector<char> buffer(size);
     if (updFile.read(buffer.data(), size))
         std::cout << “loaded ” << buffer.size() << std::endl;
         for (size_t i = 0; i < buffer.size(); i++ ) {
             buffer[i] = decode(buffer[i]);

        auto outputFile = std::fstream(argv[2], std::ios::out | std::ios::binary);
         outputFile.write((char*)buffer.data(), buffer.size());

Super Mini Mini 2 – TC motor part 2

Finally done with all my trips over the seas. So had time to pull apart the SMM2 and get to the second motor and inspect it.

it came pretty dirty, and i guess i didn’t clean off that drywall as well as thought, and that stuff isn’t good so cleaned that up first

then remove all the bolts on the top, not the door ones on the side though,they’re obviously not part of the top though, the enclosure will still in place when the top is removed.


i am pretty sure the previous owners just hosed it down with the green stuff. But we can see the same motor OEM but this time it has sealed brushes, don’t know why they used sealed on this one and not the other!


reasons as why not to use this style of molex connector in a place it can get contaminated. chips inside the connector, coolant you name it, so wrapped it.


the umbrella door opening mech gets a lot of swarf under it too, so good place to put on a cleaning schedule

close up showing the internal part of the connector has been contaminated.image

under this wheel the chips were getting bunched up so i cleaned it out


this is where the cables for the motor and sensors enter the steel tube frame, the bulkhead protecting ring had fallen out and it just wouldn’t stay in place, i pressed it in here in this picture but it just fell out again. this is meant to stop the edge of the metal slowing eating away at the insulation on the wiring since it’ll move/vibrate so its worth improving it. the haas one just wouldn’t lock into place, either a sloppy fit or it wore out


removing the access panel on the  steel tube to get access to the connectors. neither of these were tight and the left one was a tad cross threaded and the cable was loose and moved so wasn’t really sealed , also no gasket/seal on the panel so the coolant can get inside, as you can see here. sloppy fit on the bulkhead again. not a huge deal but could be better.


just like the green from swamp thing, it gets everywhere.


rear of panel


motor type SPG LS series LS85E82K-A06. haas part no 32-1875



and apparently after this i didn’t take more pictures though i thought i had..

the brushes on this motor have o ring seals so they were fine inside, all we did was clean up excess coolant and chips from everywhere feasible and then put it back together, no real issues there, add a gasket to that access panel. cover up the molex connectors for the sensor with some self annealing tape etc.



also finally managed to get an CSMD NGC from eBay for a decent amount less than the list price from Haas. i have no idea what goes on with pricing on eBay, but i regularly see these go for 2x or more the list price from Haas for used ones… ($1600) maybe there is some secret Haas charge but we did get a HFO quote for it at that price. so who knows, but apparently you can arbitrage CSMDs on eBay. More on that later (the csmd not the arbitrage )


haas super mini mill 2 ngc tool changer carousel motor


don’t use tool 1 during testing the carousel, use tool 2

the folks that had our SMM2 with only 300 hours before us didn’t do the best job of keeping it clean and used some wacky looking coolants.

we noticed that the tool change was a bit sloppy/noisy and looking around people just said that is just Haas, but eventually while I was in the UK it failed with a lot of serious looking warnings 9847 etc that if you looked up talked about firmware mismatches but looking into it, it was basically just saying that the motor was on, but didn’t seem to be drawing current.

oh dear.


so pulled apart the machine, removed the access panel to the changer , lifted out the motor and looked at the brushes. they were contaminated so cleaned it up, put it back and seemed to be better.

when i got back to the USA a week or so later we noticed the tool change was throwing a quick alarm during a tool change.

so today we pulled it apart again

this motor being disconnected, throws an 858 ATC carousel motor electrical fault

cover off


there are some interesting design choices in here.

removed wiring, tool #1 connector wire is marked as tool #1, t.c mark isn’t marked as t.c. mark.


removed the motor from the housing


very steely.


baldor motor,. spg assembly https://spgmotor.net/bs-series/#1561724885376-8af2aff5-cb26e609-82cd0c42-a4318461-c59ceb77-0fe8467c-de89


pepperl fuchs

NBB4-12M45-Z5-0.3MM sensors



Get to the brushes!

remove this cover, flat blade should come out easily.



fun stuff, it is not sealed , nor is meant to be by the manufacturer even though this is a custom one for haas ( seems to be, different ratio and they run it at 160V)




brush is all gunked up


the new dune is looking good, but low budget sandworms


i did order a couple of replacement brushes, but they’re not really right since its just the carbon side with no provision for the wire, not a big deal since the brush itself is the same length as the new one and looks fine.

cleaned up the brush, and put it back ( added some teflon tape on retainer)

lets take a look at the other brush


interesting, totally fine no damage,  no corrosion.

when the motor is mounted, the dirty brush is on the inside where the green rectangle is


most of the box this is all in is “sealed”, gasket on the front, sealed wiring… except there is a ruddy great slot and bearing as part of the tool changer mech right next to the brush, so no we know why its contaminated on that side only….  why not rotate the motor 90o so the brushes aren’t exposed to the grease and coolant, after thought?

a plate over this with an indent for the nut/bolt would have been great too, and would have kept chips and coolant etc out of this mechanism,

some photos of the offending part, you can see the grease, coolant and chips


the nasty brush is right next to the nut, and we cleaned up the inside of the cabinet a lot , it was a lot worse.


a temp fix while we decide what to do about it long term, the teflon tape will help and i wrapped the motor with some aluminum tape


so if you get tool change errors, or a sloppy tool change where it feels like it doesn’t engage well or the motor just sounds funky, check that motor and brush, , it might just need a good cleaning.

measured 21 ohms on the motor after cleaning. (haas specs 5 to 20 ohms)

note correct placement of wiring at the front of the motor versus behind it


next we are going to pull out the shuttle motor and check it, that does not look fun to remove.

also this is a fun fella.



hello onsemi/fairchild ?


Teknik Quickset V6.3.8 under Windows 10

Update: Teknik have updated the app with these fixes and released V6.4.0 they accidentally included a readme that is actually a copy of the exe again as a txt file. so I let them know and they’re fixing it too but confirmed V6.4.0 works as expected on Windows 10

I’d recently added Windows 10 to  my main since it has a lot of nice stuff, wsl2/sandboxing etc. and as much as I like windows 7 it is time for a dual boot setup.

Anyway for the projects I am currently working on, so far only the Teknik QuickSet software failed to install/run.

The failure is from an .OCX file from a third party that allows them to use Hotkeys that get processed before VBA etc sees them.

How to fix it

Step 1. Download and install quickset 6.3 from Teknik.

It’ll tell you a OCX failed to register, ignore it in the popup and it will continue the install process.

Step 2. Grab this zip archive and extract it https://www.desaware.com/support/downloads/spyworks/signedcomponents.zip

Step 3. Replace the files in the Quickset folders with the files from this zip.

Step 4. Open up an elevated CMD prompt (Run as administrator)


Step 5. Go to the folder where quickset DLLs are (default location below)

cd “C:\Program Files (x86)\Teknic\Quickset 6.3”
regsvr32 DWSHK80.OCX

We’re done with the command prompt now.

That should be it. QuickSet will now run as expected.


teknic servos and servo drivers

This is a W I P and will be adding to it as time permits, also as we do discovery and get it working.

We picked up a few teknic 2311 servos and controllers from ebay, the eclipse, sst and control point trajectory planner. The plan is to convert all our existing machines that use steppers into servos. Starting the journey with a HF Mini Lathe conversion its easy to handle and if you slam it into itself during tuning (which will likely happen) then its not going to do a lot of damage to itself or anyone else, since its tiny in comparison to our other Lathe/machines. Plus it is neat to have a small CNC lathe.


Teknic make nice gear, they sell their ClearCore controller which is a neat little dev box, as well as ClearPath servos  that are stepper replacements that take step/dir and then translate all that into the proper servo movements for a brushless motor.

Since we managed to get a good deal on the servo drives and motors we decided to venture into the world of tuning Teknic servos.

Teknic support is basically two levels :-

one:  buy 100s or 100s of units a year of the eclipse and we’ll remotely tune and help
two: buy a clearpath

Which is fair enough.

There is also no auto tune feature and no hardware monitor port on Eclipse drives, the SSTs have them but are older tech. ClearPaths have auto tune, which is a fine choice, but at first you might be how do i get the fine control i’m looking for out of step/dir that i do from –/+ 10V

From best we can tell, you download the QuickSet software for your controller, load a windows .ini style config for your drive/motor setup if there is one and start from there. If there is no config for your setup you start off with the basic parameters of the motor from the datasheet and start PID style tuning on it, first on the bench with no load. Then with the load you are planning to drive.

Since Teknic won’t help us (after all we did buy from eBay we’re on our own) and we want to have interoperability between our motion controllers (tinyg/kflop) and the eclipse/servo drives.

Sounds easy enough…..

Quickset Software

The QuickSet software has an RS232 connection to the driver that can read back the various monitor signals from the driver (some drivers have a hardware monitor line you can connect a scope too, the help docs muddle the descriptions so you spend a while looking for the non existing port, even looking for a TLC5615C 10 bit DAC convertor on the main board, so far haven’t found it. These folks really like TI.

The are two versions of QuickSet we’re using 6.3 since 5.x doesn’t handle our drive, the SST version is called SST-QuickSet.

First thing we did was head to duckduckgo and search for “how to tune teknic servos” etc , lots of ClearPath examples, nothing on the separates. What about examples of the scope traces or what you should expect to see ( beyond the normal PID style tuning or <1 1 >1 style stuff ). Nope, how about anything at all?

Nothing. Maybe someone else can find a page detailing how it works but couldn’t find a thing.

Since we had the basic unloaded motor setup finished the next step was to load it and measuring tracking errors. Poking around the software, found “Tracking (Mtr) Dir) [F3]” etc.

Noting that some of the functions have short cut keys for setup,  F3/F4/F5  Kv tune Setup (shift F1) we figured that these would be the ones to use and setup first.  each shortcut changes a few parameters and setups the scopes and stimulus generator into  the right modes.

Tracking error still seems to evade though, we think  we’re looking at it.But not sure, i’ve looked thru the apps help section and its not great. The tune mode help sections go in circles, literally.

Searching the help section finally took us to a page that says


Phone support whats this ? I didn’t see anything obvious in the app. I did note the  Advanced section in the options page being greyed out so filled that for later investigation.

In the initial motor setup phase there is a shortcut keypress you have to do to enable editing the basic motor parameters. it’s ctrl+shift+M 

So i could look at the Registered Hotkeys, or i could say do Phone? ctrl+Shift+P ?


ControlPoint basic interface


Standalone phone support window


This fun box


I feel like one of the Hackers in the movies now where i guessed the password in one try. But really turns out I’m just one of those hackers that tried the obvious thing first and it worked “password123” etc. This may even be documented somewhere.

But now we can set a bar  showing the Direction tracking Error


It enables a tonne of other settings too.

For the ControlBasic scripting there is an old windows help format file that is a hassle to read, so just convert it to a modern one (HelpNDoc does it well)

For now we’ve got the motor moving back and forth with a slight “feels like a step” motion when using step/dir that might be the style of pulses from the TinyG we used to test, or its a setup error in the drive.

Using QuickSet the motor moves great, and its crazy torquey.

We initially tuned Kv then KP/Ki etc as discussed in the help section.

inital runs

Hardware setup

Most of the connections are molex, we lucked out that the eBay seller supplied cut and uncut cables. Also orderd spares from Arrow. SST and Eclipse here


0039012180 https://www.arrow.com/en/products/0039012180/molex
0039012200 https://www.arrow.com/en/products/0039012200/molex
0039000039 https://www.arrow.com/en/products/0039000039/molex
0050579405 https://www.arrow.com/en/products/0050579405/molex
0039012060 https://www.arrow.com/en/products/0039012060/molex
0016020119 https://www.arrow.com/en/products/0016020119/molex


1-480698-0 https://www.arrow.com/en/products/1-480698-0/te-connectivity
1376348-1 https://www.arrow.com/en/products/1376348-1/te-connectivity

https://www.teknic.com/files/downloads/E2-3L_manual.pdf All listed in  here on page  73

Also DB25 male needed

RS232 tx/rx to the host used a usb adapter and it worked fine.  Pins 2 and 3 on the DB-25

Drive enable , have to ground that. Watch out for the drive jumping into life if its badly configured or such Pin 4 DB-25

Supply +5v power for the logic board  Pin 20 DB-25

Pin 21 DB-25 is GND

Supply a solid 75VDC from a power supply designed for servos, they don’t play well with most SMPS, the toridials with a full wave rectifier and a few caps do well. Molex 4 Pin

Wire up motors and controllers per datasheet.

Also add step/dir for later testing. you don’t need it for the initial tune


Thats about it.


These are just mostly notes to ourselves. Some of the values have changed







OK Keyboard version 2(3) part 1

Another blog entry which is incomplete so I will keep adding to it as my schedule allows.

This is technically the third revision of the One Key Per GPIO Keyboard OKPGK since there is an APA102 2020 and a SK6812 version of the original. I’m still using the APA102 2020s. I added thicker traces, USB C and a few more caps to help with the very last LED in the chain, i can hopefully double the speed the LEDs are updated, though they’re fast as it is and we’ll run into the limits of the LED itself hopefully, if not already there.

This isn’t an article about the creation of they keyboard, its more of a board log/process thing.

Switches and LEDS


Added bluetooth with the MDBT 50 module


Setting it up for the PNP


I like to put the boards in the orientation they end up on the PNP if possible.

Building the BOM with BOM-XS.ulp


Prepping for export to the Neoden4 Software NEODEN-4.ulp


BOM-Xs.ulp for getting a parts list and order together


At this point its worth going back over the schematic and making sure you’re using the same device for parts that are used more than once. The 10K resistors didn’t get grouped since I used one device from the sparkfun lbr and one from microbuilder. Which happened because I imported the Bluetooth module from another one of my designs.

After using the replace feature of Eagle they are now properly grouped. Adding ATTRIBUTES from Mouser and Digikey parts helps a lot here, we normally try to use a common library where the footprints are verified and the attributes already exist. The more  data you can add here, the less work you have to do when you start to buy/build.



Prepping the Pick and Place

Magnetic bars hold it place and am using the fixed board method here.


Cataloging Parts

I decide to catalogue all the parts on the PNP since it has been a while since we did a run, which took a while! All the reels photographed and documented, it is so much easier to do as you’re going along. We usually keep the NSL default stack updated in the default ULP but as you change the reels you can export/import the previous stack from each different setup so there is a .USS file that is usually newer than the default stack, and we’re still working out what our default stack is.

I made a Google Sheet so we can track the changes, I plan to tie this into the export scripts so it builds up either a USS or the default stack automatically from this spreadsheet.



Next is setting up the fiducials, basically what I’m doing is locating where the fiducuals are physically on the PNP, then look at where eagle thinks they are, then using the difference between the two points (x1-x2) (y1-y2) and entering that into the Eagle Export section, which means the board is placed at the correct physical location. The machine then will run the auto fiducial finder and adjust everything automatically for any small differences during mounting or such.

I have yet to annotate this video.

Doing that gives me the XY offset for this, and entering the Xd/Yd into the X and Y boxes the outputted CSV file will contain the physical coordinates on the PNP. I’d have taken more photos of the process, but the fish pump in the PNP gets annoying to listen too (and they’re all in the video linked above)


Some of the components don’t fit in reels so I’ll make  a custom tray..

One of the issues we have with lack of storage space is sometimes its easier to buy new components than find them, especially if it is tiny parts. Placed an order for the CPUs and also picked up a few extra MBDT50 with the external antenna and a suitable antenna, ended up being arrow and mouser, can never seem to find an order that is from one place. It’ll also give an opportunity to check the antennas with the VNA which is always fun.


Another App

I threw together a quick MFC application that OAuths to the Google Sheets API and can pull the data down, then we write the USS file to the local folder for the Eagle ULP to use. I’d liked to have embedded it all into the ULP but the Oauth part is trickier there.  Alternatively publishing the sheet to the Web and then just get/json etc but I prefer this since its a two way process.


The idea here is you can keep a master spreadsheet with the state of the current Pick and Place setup. Data can also be edited here and pushed back to the spreadsheet. For different machines, can have different spreadsheets.

The push back is for things like Nozzle ID and X and Y of pickup, place/pickup height etc which is often fine tuned on the machine.

I haven’t pulled the images yet, not sure if I will. Rather than getting crazy on support applications I want MVP (Minimum Viable Product) the idea is to cut down spent in preparation

May also output a script that updates or adds ATTRIBUTES for the OEM Part numbers in the sch/brd file.

stick-vise XY table

Finally got around to creating a XY table for the stick vise to use with the eakins digital inspection camera. This is just a quick write up.

The idea is it can scan the larger PCB, and overlay the routes etc.

Here it is, for test fitment I just 3d printed the mounts. I’ll cut them out of metal later.

2020-06-06 19_44_11-Linear Rail 50mm _ 100mm _ 150mm_ 200mm Linear Stage Actuator with Square Linear

The https://www.stickvise.com/ adapter


Adapter to  connect the two linear rails’ together.


I picked up the rails off eBay/aliexpress but i wanted a longer 150mm so I grabbed another from Amazon, these things are available everywhere

2020-06-06 19_33_46-Autodesk Fusion 360
2020-06-06 19_21_37-Autodesk Fusion 360
2020-06-06 19_21_20-Autodesk Fusion 360

stick vise adapter.

2020-06-06 19_34_38-Autodesk Fusion 360
2020-06-06 19_22_21-Autodesk Fusion 360
2020-06-06 19_22_02-Autodesk Fusion 360

All the bolts are M3 I used are 10mm length.

The nut version

which bolts thru from this side.

I made the countersinks 5mm on the first plate I made ( not pictured), then hot welded an M3 threaded insert into the plastic, on the metal one i’d have just put an M3 nut in there.

To drive it i’m using  the Polulu  Tic’s https://www.pololu.com/category/212/tic-stepper-motor-controllers they don’t seem to have a dual one, or chainable so its two USBs at the moment.

that us more or less it. 3D print or mill the plates, attach the stick vise to the first plate, then the stick vise+plate to the first linear rail, then put the nuts or inserts on the second plates two holes (spaced 20mm ) and then bolt the second plate to the second longer linear rail with four M3 10mms, put the first shorter linear rail on top of the second, and use two M3 10mm bolts to hold it in place.

this is the overlay of the tracks on the pcb, pre XY. so now the plan is to  move the pcb around and have the tracks around.

2020-06-06 19_46_40-Dr Terrible's House of Bloggable – Stuff i posted - Brave

I’ll do a more detailed write up when its up and running in measuretwice. there were some notes in this post


fibre laser arrives… let the games begin

We picked up a 60W fibre laser after we were looking for some stuff and saw a youtube video on MOPA lasering…

Fast forward to the arrival, it got stuck in customs partly due to FDA, partly due to the time of year, we picked it up from Kelly @ Wuhan Optical which of course has its own drama right after the New Years break with the virus. Which meant even though it’d been  in customs for a while, it was very carefully disinfected with alcohol etc during unpacking.

After setup we fired up the laser and did some tests.

60W MOPA Fibre laser, it is a tasty piece of kit


There is  bunch of stuff to setup in the configs and try to tune it to the coloured metal output. Like this! Amazing stuff.

Pretty neat

Stainless Steel


Copper coated plastic or something



No dither


Stainless steel 0.15mm thick


Tool Plate


Welding plate from Lowes, hard to see the colours




Block of aluminium


The Setup

Thus follows a bunch of images ( A ) to share with others, (  B ) for us to find later.. .which is half what this blog is.

Make sure you load the correct CAL file  for the lense you are using, if you start EzCad2 and it says “Can’t find file” or such, it is likely missing the CAL file. Which you set the location of the in the Param(F3) menu

Settings for the actual engrave/cut.

Ok back to the blog.

The Chinese software is less than great…

Here we are again, most Chinese software actually does most of what you need, it is very focused on you can do it if you do enough fiddling around, and workarounds for 90% of the stuff it’ll cover, the make it work, and stopping before the make it great practice of software dev. But given the razor thin margins and other such things , who would be shocked ? China is really good at what they do, but it is very specific.

The first thing i notice about the software is the key (F1) to display the red safe for eyes laser to show the box or contour of the thing you’re about to lase , is right next to the KEY (F2) that actually fires the laser which is not safe for eyes… so that is a terrible design choice. so watch out for that. In China they don’t even use the protective glasses (not that the supplied ones are great, get some thorlabs ones), so they’re not worried about this issue I would imagine.

Since you can use the foot pedal to start the laser running, why not just disable F2 altogether ? I’ve already accidentally fired the laser once, but I swear I hit apply and not FIRE LASERS !!!

Motor Driver 12,800 steps setup on ours


60w Fibre Laser data sheet


The author(me) gets distracted during this write up.

Good question, Hmmm, ok why not, I’ll pause this text typing and go and look for it..(literally just happened)

Taking a look at EzCad2.exe imports I see lots of uses of


That would be for checking the state of virtual keys, and VK_F2 is 0x71.. 0x70 is F1, is that it?  Virtual Key Codes

I see, 0x10(VK_SHIFT), 17(VK_CONTROL) 164 (VK_LMENU) and 165 (VK_RMENU)

It’s looking for key modifiers which is a typical use of GetKeyState, most likely i’d look for the WinProc and see the key down/up events but we’re in MFC so it’ll likely be a handler via DDX , PreTranslateMessage, Accelerators CWnd func, etc.

Poking around to see if it is obvious which is used while running the app. I run it inside the debugger but not connected to the Laser, ahh, the keys are disabled since I have no control board connected, very sensible but less than ideal for what we’re doing here.

Looks like the standard way to enable/disable controls in MFC based on a call to the LMC Driver setup.

We can see that the dialog ID for the red laser is 17023/0x427f using Spy++


There are a few PostMessageW’s to that ID , both id 0x111 ( WM_COMMAND) with the dialog ID and 0 so menu. Seems like a thing. Which leads us to this :-

if ( wParam == 113 )


if ( wParam == 112)

113 and 112 are the virtual keys for F2 and F1 respectively. They each post a message to the dialog ID’s 17023 and 1321 so if this is the right spot looking at the ID for the Mark(F2) button would equal 1321


0x529 = 1321, so confirmed.

There are two places it checks that VK_ and they both call  PostMessageW(hwnd, WM_COMMAND, dialogID , 0 );

Here is one location

0x04FF7DD 83 7D 0C 70                             cmp     [ebp+wParam], 0x70

0x04FF808 83 7D 0C 71                             cmp     [ebp+wParam], 0x71

Changing those should change the key, if you need to update the GUI change LANG=lang_Enu.ini

For F2

CONTMARKALLPART=F2 Continuous mark all

For F1

MARKALLPART=F1 Mark all part

Also a couple of NOPs here and there will disable the key altogether! Note there are two sets of this code, this is just one.

0x04FF7DD 83 7D 0C 70                             cmp     [ebp+wParam], 0x70 ; VK_ Code
0x04FF7E1 75 25                                   jnz     short loc_0x4FF808

0x04FF7E3 6A 00                                   push    0x0              ; lParam
0x04FF7E5 68 7F 42 00 00                          push    0x427F           ; wParam
0x04FF7EA 68 11 01 00 00                          push    0x111            ; Msg
0x04FF7EF 8B 0D 44 AC 5B 00                       mov     ecx, dword_0x5BAC44
0x04FF7F5 E8 86 F2 F0 FF                          call    GetHwnd
0x04FF7FA 50                                      push    eax             ; hWnd
0x04FF7FB FF 15 5C 1A 56 00                       call    ds:PostMessageW
0x04FF801 33 C0                                   xor     eax, eax
0x04FF803 E9 E4 02 00 00                          jmp     loc_0x4FFAEC


0x04FF808 83 7D 0C 71                             cmp     [ebp+wParam], 0x71 ; VK Code
0x04FF80C 75 25                                   jnz     short loc_0x4FF833
0x04FF80E 6A 00                                   push    0x0              ; lParam
0x04FF810 68 29 05 00 00                          push    0x529            ; wParam
0x04FF815 68 11 01 00 00                          push    0x111            ; Msg
0x04FF81A 8B 0D 44 AC 5B 00                       mov     ecx, dword_0x5BAC44
0x04FF820 E8 5B F2 F0 FF                          call    GetHwnd
0x04FF825 50                                      push    eax            ; hWnd
0x04FF826 FF 15 5C 1A 56 00                       call    ds:PostMessageW

Saturday morning, I  ended up writing a little app to patch the EXE and change the keys, it searches for the code sequences for the VK’s which there are two of each, so I search for three, and if it only finds two sets, adjusts the location and changes the VK code then write outs a new EXE. I added the F keys and SPACE .. Don’t use a key thats already in use! Edit the lang\lang_enu.ini for english text to change the EzCad2 GUI to match the new keys.

Warning: You should never actually use this any of this information in this post, this linked app or even test it, as it may do something bad and unexpected to everything, and anything, damage you, damage the laser, the planet, etc. Its purely for informational purposes only.


I tried this app on the actual laser, it works but there is another place where F2 is getting used so have to find that one too. I set the red mark to VK_SPACE and then use the footswitch to fire the laser, that way you dont need to tap F1 or F2, i’ll find the others.

OK we’ve gone on a journey, now we’re back to writing up the rest.

So why are we doing this

Apart from the obvious, because we can, the host software isn’t great, why not, and the other reasons

We want to make stainless steel stencils for PCB, so i try an export of the DXF directly from Eagle, the gerber tCream and various modified versions via Illustrator , using type 3 .ai files. Unfortunately the geom doesn’t close properly the stating position and ending position of everything is off so it leaves a little tab behind, drawing it in ezcad works properly its only on the dxf/gerber/ai import this happens, the geo is contiguous and closed so its something else.

Looks good, except for the one corner that isn’t cut out!


After fiddling around I poke around at the software, we’ve already updated EzCad  from the version supplied. I’d like to be able to drive the laser directly so investigations begin.

Various notes i’ve found about the process

DXF import failed for R12 DXF’s AC1009 (eagle spits these out) loading in AI and exporting as DFX 2004 AC1018 worked.

Straight from Eagle R12 to EzCad2


Load into AI and export as 2004


R12 as viewed in AI


Now in EzCad2 as a 2004 DXF


Gerber import from eagle works, but pads end up as circles unless you add any rounded corner to the pads of your devices.

tCream as viewed in Eagle


tCream gerber as viewed in EzCad


The rectangular pads appear as circles, but rounded pads appear correctly. The workaround I found for this is tedious but worked


Edit the package, then the PAD properties and set roundness to something more than 0 then update the board, and re-export the gerber.

Laser fails to cut corners of shapes

This one is partly why I started this, we had a false test that allowed us to cut rectangles clearly but I think the settings changed between the working cut and then our stencil tests, basically one small tab at the end of the laser operation would be left behind.



At first since we could cut proper rectangles and only imported geo seemed to not work,  it seem like it was an import issue. But revisiting we decided to change some of the parameters


Start TC is the time to delay before cutting, it gives time for the system to catch up, –200 was the recommend value. Changing this to –400 pretty much cleared up the issue, but also increasing Laser Off TC  and Polygon TC to 300 helped as well Polygon TC is the dwell time when it finishes cutting one part of the line in the polygon, Laser off is how long the laser stays on at the end of the cutting operation. Increasing these too much will cause a larger burn area on corners or end of cut so you have to tune it.

Cutting 0.127mm stainless steel our settings currently are



For stencil material it is a little thinner at .011mm and we were able to cut that at Loop 30 , Power 55%

We fiddled with the Frequency(Khz) to get a smooth cut, this changes the amount of power at the cut too and it varies on the waveform, doesn’t just increase with frequency. The lowest setting for our cutter is 20 KHz which makes seperate distinctive dots. 50 KHz was the default and it wasn’t quite as smooth an edge so 75 worked. Q we’re keeping to be as close to a non MOPA fibre as possible.

The effects of the Frequency being too low, reduced power to see the effect



Tried hatching and engraving tests as well, melted, and reformed steel. Commerical stencil cutters are likely a moving head with air assist.


Cross hatch with a run around the edge.


EzCad can be infuriating

One of the annoyances for me is the pen selection, it took me a few tries to figure out if you have anything selected on the work area, you can’t choose a new pen on the right side, so pressing ESC or de-selecting any objects in the workspace fixes that. It takes fovever to setup your default pens, which are stored in the .ezd file too.

Deep Diving

Breaking down the .EZD format

Taking a look at the binary EZD format to see if we can get some insight on how to write custom ones.

First i loaded EzCad and just saved the empty workspace, this generates a 317KBfile. All the pens are in there.

The first thing tried is switching off Default param and resaving, them comparing

Looks good, a 00 to a 01, right side is default param on.

L27320    04 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00 00 40 7F 40 08 00 00 00  …………………….@@….
R27320    04 00 00 00 01 00 00 00 04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00 00 40 7F 40 08 00 00 00  …………………….@@….


This seems promising, Unicode string, in blocks are there 256 of them?


[C:\ezcad\tests]strings -u default-param-off-empty.ezd >f

Strings v2.53 – Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals – http://www.sysinternals.com

[C:\ezcad\tests]wc f

f:                   Words: 257        Lines: 257        Chars: 1800

hmm 257?, a quick peek at the file F tells us why, the first string is EZCADUNI which is part of the header. so yep its 256 pens as expected.


There is a header too


Which is followed by a whole bunch of 00 FF FF FF, a


Lets see if the location of the Pens section is fixed, or if it moves around and theres a section pointer or something, i’ll add a rectangle to the file and see what changes.

That causes quite a large change in the file. But its encouraging because what happened was it overwrote some info at the start of the file, some of the ff ff ff 00 changed, the pens seemed to stay in the same place and a whole chunk of stuff was added to the end of the file.


Lets change one of the pen settings now. I set Loop from1 to 2

L27320    04 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 40 7F 40 08 00 00 00  …………………….@@….
R27320    04 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00 00 40 7F 40 08 00 00 00  …………………….@@….

Which is in the default section


I’ll add some more shapes to the file and see if the pens move.

Another large change in that first section with the FF FF FF 00 and this time a smaller amount of data, i added a circle at 0,0 and 10mm


Pens didn’t move though. Lets change another parameter in the pen. I changed speed from 500 to 501

R27320    04 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 40 7F 40 08 00 00 00  …………………….@@….

L27320    04 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 50 7F 40 08 00 00 00  …………………….P@….

Speed 502

L27320    04 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 50 7F 40 08 00 00 00  …………………….P@….
R27320    04 00 00 00 00 00 00 00 04 00 00 00 02 00 00 00 08 00 00 00 00 00 00 00 00 60 7F 40 08 00 00 00  …………………….`@….

Speed 1000, from 502

Changing Power from 100 to 1

L27340    00 00 00 00 00 00 F0 3F 04 00 00 00 20 4E 00 00 04 00 00 00 04 00 00 00 04 00 00 00 2C 01 00 00  ……ð?…. N…………..,…
R27340    00 00 00 00 00 00 59 40 04 00 00 00 20 4E 00 00 04 00 00 00 04 00 00 00 04 00 00 00 2C 01 00 00  ……Y@…. N…………..,…

So its a mix of ints and doubles.

0x27300 R value byte
0x27301 G value byte
0x27302 G value byte
0x27304 Length of Unicode string int. 4 bytes,
0x27308 Unicode Default 440065006600610075006C0074000000

This moves depending on length of the parameter name, so these are absolute with a unicode string length of 0x10 from base to consider

0x27324 Use default parameter  uint8
0x2732c for Loop (range seems 1 to 10,000)  4 bytes int
0x27334 for Speed(MM) its stored as a double 8 bytes.
0x27340 for Power% double
0x2734c for Frequency(Khz) Int32 4 bytes, max 10,000

Checking Q but its +4 i think and uint32

0x2735c for Start TC Int32 4 bytes signed
0x273e4 for Laser Off TC(US) uint32 4 bytes, max 10,000
0x27364 for End TC(US) uint32 4 bytes, max 10,000
0x2736C for Polygon TC(US) uint32 4 bytes, max 10,000

Enough to start a simple application to edit these valus, firing up MSVC.

Few hours later !


I’m using default values for testing, so they don’t necessarily make sense yet. Added import and export of CSV so you can edit in text or a spreadsheet, or even share on google sheets etc. has Q since ours is a MOPA.

I found some test grids on web that seem to be an older verison of ezCad and there is an  offset difference, which i figured there would be since its such a large offset into the file.

Loading and resaving the EZD in the version of EZCad 2.14.11 i used while testing moved it to the same offset. 0x27300 for mine, 0x464 for the one i found on the web, here’s the header. Since you can load and resave it and it appears at the same offset i’m not super worried but it’d be nice to decode how it knows where it is, assuming there is some relative offset.


EZD writing and CSV Export working


It is feature complete now and i put it on my github for testing, it is very specific to the version of EzCad so i’ve only tested 2.14.11


I think i figured out how the pen offset works , offset 0x160 has a uint32_t that gets to the base of the pens – 0x10, tested a few versions of .ezd files and it worked ok, github updated again.


Into the Driver

EzCad2 comes with its own driver board the LMC1/4fiber etc which work over USB and also double a as dongle, which means you can’t use EzCad2 offline as it can’t save. A quick 30 second poke with a hex editor fixed that though just so I could use it on my main PC for testing and it takes FOREVER to build the arrays to test different power and frequency levels

LMC1.dll LMCMIO.dll are the main files for talking to the board, there is an MarkEz.dll available that you can use to interface with the laser, but it is really high level and  might be a paid option ?

I converted the header to English.


// All functions return an integer value
#define LMC1_ERR_SUCCESS 0 // Success
#define LMC1_ERR_EZCADRUN 1 // Found that EZCAD is running
#define LMC1_ERR_NOFINDCFGFILE 2 // Cannot find EZCAD.CFG
#define LMC1_ERR_FAILEDOPEN 3 // Failed to open LMC1
#define LMC1_ERR_NODEVICE 4 // No valid lmc1 device
#define LMC1_ERR_HARDVER 5 // lmc1 version error
#define LMC1_ERR_DEVCFG 6 // Cannot find the device configuration file
#define LMC1_ERR_STOPSIGNAL 7 // Alarm signal
#define LMC1_ERR_USERSTOP 8 // User stops
#define LMC1_ERR_UNKNOW 9 // Unknown error
#define LMC1_ERR_OUTTIME 10 // Timeout
#define LMC1_ERR_NOINITIAL 11 // Not initialized
#define LMC1_ERR_READFILE 12 // Error reading file
#define LMC1_ERR_OWENWNDNULL 13 // The window is empty
#define LMC1_ERR_NOFINDFONT 14 // Cannot find the font with the specified name
#define LMC1_ERR_PENNO 15 // Wrong pen number
#define LMC1_ERR_NOTTEXT 16 // The object with the specified name is not a text object
#define LMC1_ERR_SAVEFILE 17 // Failed to save the file
#define LMC1_ERR_NOFINDENT 18 // The specified object cannot be found
#define LMC1_ERR_STATUE 19 // This operation cannot be performed in the current state

// Initialize the lmc1 control card
// input parameter: strEzCadPath EzCad software execution path
// bTestMode = TRUE means test mode bTestMode = FALSE means normal mode
// pOwenWnd represents the parent window object. If stop marking is required, the system will intercept messages from this window.

typedef int ( *LMC1_INITIAL ) ( wchar_t* strEzCadPath, //ezcad’s working directory
                                BOOL bTestMode, // Whether it is a test mode
                                 HWND hOwenWnd ); // The parent window

// Close the lmc1 control card

typedef int ( *LMC1_CLOSE ) ();

typedef int  ( *LMC1_STOPMARK ) ();

// Load the ezd file and clear all objects in the database
// Input parameters: strFileName EzCad file name
typedef int ( *LMC1_LOADEZDFILE ) ( wchar_t* strFileName );

// Mark all data in the current database
// Input parameters: bFlyMark = TRUE enables flying marking bFlyMark = FALSE enables flying marking
typedef int ( *LMC1_MARK ) ( BOOL bFlyMark );

// Mark the specified object in the current database
// input parameter: strEntName the name of the specified object to be processed
typedef int ( *LMC1_MARKENTITY ) ( wchar_t* strEntName );

// Fly mark the specified object in the current database
// input parameter: strEntName
typedef int ( *LMC1_MARKENTITYFLY ) ( wchar_t* strEntName );

// read the input port of lmc1
// input parameter: data of input port read in
typedef int ( *LMC1_READPORT ) ( WORD& data );

// Write the output port of lmc1
// input parameter: the data of the output port to write to
typedef int ( *LMC1_WRITEPORT ) ( WORD data );

// Get a preview image of all data in the current database
// input parameter: pWnd to which window the preview image is displayed
// nBMPWIDTH preview image width
// nBMPHEIGHT height of preview image
typedef  CBitmap* ( *LMC1_GETPREVBITMAP ) ( HWND hwnd, int nBMPWIDTH, int nBMPHEIGHT );

// Call the dialog for setting device parameters
typedef int ( *LMC1_SETDEVCFG ) ();

const int HATCHATTRIB_ALLCALC = 0x01;// All objects are calculated together as a whole
const int HATCHATTRIB_BIDIR   = 0x08;// Bidirectional padding
const int HATCHATTRIB_EDGE    = 0x02;// Walk once
const int HATCHATTRIB_LOOP    = 0x10;// Ring fill

// Set the current filling parameters. If you want to enable filling when adding a new object to the database, this parameter will be used
typedef int ( *LMC1_SETHATCHPARAM ) ( BOOL bEnableContour, // Enable the contour itself
                                       int bEnableHatch1, // Enable fill 1
                                       int nPenNo1, // fill pen
                                       int nHatchAttrib1, // fill attribute
                                       double dHatchEdgeDist1, // fill line margins
                                      double dHatchLineDist1, // fill line spacing
                                       double dHatchStartOffset1, // The starting offset distance of the fill line
                                      double dHatchEndOffset1, // The end offset distance of the fill line
                                       double dHatchAngle1, // fill line angle (radian value)
                                      int bEnableHatch2, // Enable padding 1
                                       int nPenNo2, // fill pen
                                       int nHatchAttrib2, // fill attribute
                                       double dHatchEdgeDist2, // fill line margins
                                      double dHatchLineDist2, // fill line spacing
                                      double dHatchStartOffset2, // The starting offset distance of the fill line
                                      double dHatchEndOffset2, // The end offset distance of the fill line
                                       double dHatchAngle2 ); // fill line angle (radian value)

// Set the current font parameters. If you want to add a new text object to the database, this font parameter will be used.
typedef int ( *LMC1_SETFONTPARAM ) ( wchar_t * strFontName, // font name
                                     double dCharHeight, // character height
                                      double dCharWidth, // character width
                                      double dCharAngle, // character inclination
                                     double dCharSpace, // character spacing
                                     double dLineSpace, // line spacing
                                     BOOL bEqualCharWidth ); // etc. Character width mode

// Get the processing parameters corresponding to the specified pen number
typedef int ( *LMC1_GETPENPARAM ) ( int nPenNo, // the pen number to be set (0-255)
                                    int & nMarkLoop, // processing times
                                    double & dMarkSpeed, // Marking times mm / s
                                     double & dPowerRatio, // power percentage (0-100%)
                                    double & dCurrent, // Current A
                                    int & nFreq, // frequency HZ
                                    int & nQPulseWidth, // Q pulse width us
                                    int & nStartTC, // start delay us
                                    int & nLaserOffTC, // Laser off delay us
                                     int & nEndTC, // end delay us
                                     int & nPolyTC, // corner delay us //
                                     double & dJumpSpeed, // jump speed mm / s
                                     int & nJumpPosTC, // Jump position delay us
                                    int & nJumpDistTC, // Jump distance delay us
                                     double & dEndComp, // end point compensation mm
                                     double & dAccDist, // Acceleration distance mm
                                    double & dPointTime, // dot delay ms
                                    BOOL & bPulsePointMode, // Pulse point mode
                                     int & nPulseNum, // Number of pulse points
                                     double & dFlySpeed );

// Set the processing parameters corresponding to the specified pen number
typedef int ( *LMC1_SETPENPARAM ) ( int nPenNo, // the pen number to be set (0-255)
                                    int nMarkLoop, // processing times
                                    double dMarkSpeed, // Marking times mm / s
                                    double dPowerRatio, // power percentage (0-100%)
                                     double dCurrent, // Current A
                                     int nFreq, // frequency HZ
                                     int nQPulseWidth, // Q pulse width us
                                     int nStartTC, // start delay us
                                    int nLaserOffTC, // Laser off delay us
                                    int nEndTC, // end delay us
                                    int nPolyTC, // corner delay us //
                                    double dJumpSpeed, // jump speed mm / s
                                     int nJumpPosTC, // Jump position delay us
                                     int nJumpDistTC, // jump distance delay us
                                     double dEndComp, // end point compensation mm
                                    double dAccDist, // Acceleration distance mm
                                     double dPointTime, // dot delay ms
                                     BOOL bPulsePointMode, // Pulse point mode
                                     int nPulseNum,
                                     double dFlySpeed ); // Number of pulse points

// Clear all data in the object library
typedef int ( *LMC1_CLEARENTLIB ) ();

// The meaning of the numbers in the alignment
//   6 —  5 — 4
//   |            |
//   |            |
//   7     8      3
//   |            |
//   |            |
//   0 —  1 — 2

// Add new text to the database
typedef int ( *LMC1_ADDTEXTTOLIB ) ( wchar_t * pStr, // string to add
                                      wchar_t * pEntName, // String object name
                                      double dPosX, // x coordinate of the bottom left corner of the string
                                      double dPosY, // the y-coordinate of the bottom left corner of the string
                                     double dPosZ, // the z coordinate of the string object
                                      int nAlign, // alignment mode 0-8
                                      double dTextRotateAngle, // Angle value (radian value) of the string rotation around the base point
                                      int nPenNo, // processing parameters used by the object
                                     BOOL bHatchText ); // Whether to fill the text object

// Add the specified file to the database
// Supported files are ezd, dxf, dst, plt, ai, bmp, jpg, tga, png, gif, tiff, etc.
typedef int ( *LMC1_ADDFILETOLIB ) ( wchar_t * pFileName, // file name
                                      wchar_t * pEntName, // String object name
                                     double dPosX, // The x coordinate of the base left corner of the file
                                      double dPosY, // y-coordinate of the base point of the bottom left corner of the file
                                      double dPosZ, // z-coordinate of the file
                                      int nAlign, // alignment mode 0-8
                                     double dRatio, // File scaling
                                     int nPenNo, // processing parameters used by the object
                                      BOOL bHatchFile ); // Whether the file object is filled. This parameter is invalid if it is an ezd file or a bitmap file.

// Add the curve to the database
typedef int ( *LMC1_ADDCURVETOLIB ) ( double ptBuf[][2], // curve vertex array
                                       int ptNum, // number of curve vertices
                                      wchar_t * pEntName, // curve object name
                                      int nPenNo, // Pen number used by the curve object
                                       int bHatch ); // whether the curve is filled

#define BARCODETYPE_39 0
#define BARCODETYPE_93 1
#define BARCODETYPE_128A 2
#define BARCODETYPE_128B 3
#define BARCODETYPE_128C 4
#define BARCODETYPE_128OPT 5
#define BARCODETYPE_25 13
#define BARCODETYPE_PDF417 16

#define BARCODEATTRIB_REVERSE 0x0008 // Barcode reverse
#define BARCODEATTRIB_HUMANREAD 0x1000 // Display human recognition characters
#define BARCODEATTRIB_CHECKNUM 0x0004 // A check code is required
#define BARCODEATTRIB_PDF417_SHORTMODE 0x0040 // PDF417 is shortened mode
#define BARCODEATTRIB_DATAMTX_DOTMODE 0x0080 // DataMtrix is ​​in dot mode
#define BARCODEATTRIB_CIRCLEMODE 0x0100 // Customize QR code to circle mode

#define DATAMTX_SIZEMODE_10X10 1
#define DATAMTX_SIZEMODE_12X12 2
#define DATAMTX_SIZEMODE_14X14 3
#define DATAMTX_SIZEMODE_16X16 4
#define DATAMTX_SIZEMODE_18X18 5
#define DATAMTX_SIZEMODE_20X20 6
#define DATAMTX_SIZEMODE_22X22 7
#define DATAMTX_SIZEMODE_24X24 8
#define DATAMTX_SIZEMODE_26X26 9
#define DATAMTX_SIZEMODE_32X32 10
#define DATAMTX_SIZEMODE_36X36 11
#define DATAMTX_SIZEMODE_40X40 12
#define DATAMTX_SIZEMODE_44X44 13
#define DATAMTX_SIZEMODE_48X48 14
#define DATAMTX_SIZEMODE_52X52 15
#define DATAMTX_SIZEMODE_64X64 16
#define DATAMTX_SIZEMODE_72X72 17
#define DATAMTX_SIZEMODE_80X80 18
#define DATAMTX_SIZEMODE_88X88 19
#define DATAMTX_SIZEMODE_96X96 20
#define DATAMTX_SIZEMODE_104X104 21
#define DATAMTX_SIZEMODE_120X120 22
#define DATAMTX_SIZEMODE_132X132 23
#define DATAMTX_SIZEMODE_144X144 24
#define DATAMTX_SIZEMODE_8X18 25
#define DATAMTX_SIZEMODE_8X32 26
#define DATAMTX_SIZEMODE_12X26 27
#define DATAMTX_SIZEMODE_12X36 28
#define DATAMTX_SIZEMODE_16X36 29
#define DATAMTX_SIZEMODE_16X48 30

// Add barcode to database
typedef int ( *LMC1_ADDBARCODETOLIB ) ( wchar_t * pStr, // string
                                        wchar_t * pEntName, // String object name
                                        double dPosX, // The x coordinate of the base left corner of the character
                                        double dPosY, // Y-coordinate of the base left corner of the character
                                         double dPosZ, // character z coordinate
                                        int nAlign, // alignment mode 0-8
                                        int nPenNo,
                                        int bHatchText,
                                         int nBarcodeType, // Barcode type
                                        WORD wBarCodeAttrib, // Barcode attribute
                                        double dHeight, // the height of the entire barcode
                                         double dNarrowWidth, // the narrowest module width
                                        double dBarWidthScale[4], // bar width ratio (compared to the narrowest module width)
                                        double dSpaceWidthScale[4], // space width ratio (compared to the narrowest module width)
                                        double dMidCharSpaceScale, // character space ratio (compared to the narrowest module width)
                                        double dQuietLeftScale, // the left margin width ratio of the barcode (compared to the narrowest module width)
                                         double dQuietMidScale, // ratio of blank width in barcode (compared to the narrowest module width)
                                         double dQuietRightScale, // the right margin width ratio of the barcode (compared to the narrowest module width)
                                        double dQuietTopScale, // ratio of blank width on barcode (compared to the narrowest module width)
                                        double dQuietBottomScale, // ratio of blank width under barcode (compared to the narrowest module width)
                                         int nRow, // Number of QR code lines
                                         int nCol, // Number of QR code columns
                                        int nSizeMode, // DataMatrix size mode 0-30
                                         double dTextHeight, // Font height
                                         double dTextWidth, // Font width
                                         double dTextOffsetX, // X direction offset of human recognition characters
                                         double dTextOffsetY, // Y-direction offset of human recognition characters
                                        double dTextSpace, // Person recognition character spacing
                                         double dDiameter,
                                         wchar_t * pTextFontName ); // Text font name

// Change the text of the specified text object in the current database
// input parameter: strTextName the name of the text object whose content you want to change
// strTextNew new text content
typedef int ( *LMC1_CHANGETEXTBYNAME ) ( wchar_t * strTextName, wchar_t * strTextNew );

// Set the rotation transformation parameters
// Input parameters: dCenterX x coordinate of rotation center
// dCenterY y coordinate of rotation center
// dRotateAng rotation angle (radian value)
typedef void ( *LMC1_SETROTATEPARAM ) ( double dCenterX, double dCenterY, double dRotateAng );

//////////////////////////////////////// /////////////// //////////////////
// Extended axis function

// The extension axis moves to the specified coordinate position
// input parameter: axis extended axis 0 = axis 0 1 = axis 1
// GoalPos coordinate position
typedef int ( *LMC1_AXISMOVETO ) ( int axis, double GoalPos );

// Expansion axis correction origin
// input parameter: axis extended axis 0 = axis 0 1 = axis 1
typedef int ( *LMC1_AXISCORRECTORIGIN ) ( int axis );

// Get the current coordinates of the extended axis
// input parameter: axis extended axis 0 = axis 0 1 = axis 1
typedef double ( *LMC1_GETAXISCOOR ) ( int axis );

// The extension axis moves to the specified pulse coordinate position
// input parameter: axis extended axis 0 = axis 0 1 = axis 1
// nGoalPos pulse coordinate position
typedef int ( *LMC1_AXISMOVETOPULSE ) ( int axis, int nGoalPos );

// Get the current pulse coordinates of the extended axis
// input parameter: axis extended axis 0 = axis 0 1 = axis 1
typedef int ( *LMC1_GETAXISCOORPULSE ) ( int axis );

// Reset extended axis coordinates
// Input parameters: bEnAxis0 = enable axis 0 bEnAxis1 = enable axis 1
typedef double ( *LMC1_RESET ) ( BOOL bEnAxis0, BOOL bEnAxis1 );

// Font type attribute definition
#define FONTATB_JSF 0x0001 // JczSingle font
#define FONTATB_TTF 0x0002 // TrueType font
#define FONTATB_DMF 0x0004 // DotMatrix font
#define FONTATB_BCF 0x0008 // BarCode font

// Font record
struct lmc1_FontRecord {
    wchar_t szFontName[256]; // font name
    DWORD dwFontAttrib; // font attribute

// Get all font parameters supported by the current system
// Input parameters: None
// Output parameter: nFontNum font number
// Return parameter: lmc1_FontRecord * array of font records
typedef lmc1_FontRecord * ( *LMC1_GETALLFONTRECORD ) ( int & nFontNum );

// Save all objects in the current database to the specified ezd file
// Input parameters: strFileName ezd file name
typedef int ( *LMC1_SAVEENTLIBTOFILE ) ( wchar_t * strFileName );

// Get the maximum and minimum coordinates of the specified object.
typedef int ( *LMC1_GETENTSIZE ) ( wchar_t * pEntName, // String object name
                                    double & dMinx,
                                   double & dMiny,
                                   double & dMaxx,
                                   double & dMaxy,
                                    double & dZ );

// Move the relative coordinates of the specified object
typedef int ( *LMC1_MOVEENT ) ( wchar_t * pEntName, // String object name
                                 double dMovex,
                                double dMovey );

// Scale the specified object, zoom center coordinates (dCenx, dCeny)
typedef int ( *LMC1_SCALEENT ) ( wchar_t * pEntName, // String object name
                                 double dCenx,
                                 double dCeny,
                                  double dScaleX,
                                  double dScaleY );
// Mirror specified object, mirror center coordinates (dCenx, dCeny) bMirrorX = TRUE X direction mirror bMirrorY = TRUE Y direction
typedef int ( *LMC1_MIRRORENT ) ( wchar_t * pEntName, // String object name
                                   double dCenx,
                                  double dCeny,
                                  BOOL bMirrorX,
                                   BOOL bMirrorY );

// Rotate the specified object, and rotate the center coordinates (dCenx, dCeny)
typedef int ( *LMC1_ROTATEENT ) ( wchar_t * pEntName, // String object name
                                  double dCenx,
                                   double dCeny,
                                   double dAngle );
// Rotate the specified object, the coordinates of the rotation center (dCenx, dCeny) dAngle = rotation angle (positive counterclockwise, the unit is degree)
typedef int ( *LMC1_SETROTATEMOVEPARAM ) ( double dMoveX, // X displacement distance
        double dMoveY, // Y displacement distance
        double dCenterX, // X-coordinate of rotation center
        double dCenterY, // Y-coordinate of rotation center
         double dAngle ); // rotation angle
typedef int ( *LMC1_REDLIGHTMARK ) (); // Mark the red light frame

typedef int ( *LMC1_MARKLINE ) ( double x1,
                                 double y1,
                                 double x2,
                                  double y2,
                                 int pen ); //

typedef int ( *LMC1_MAKEPOINT ) ( double x,
                                   double y,
                                   double delay,
                                  int pen ); //
// Get the total number of objects
// output parameter: total number of objects
typedef int ( *LMC1_GETENTITYCOUNT ) ();

// Get the name of the object with the specified sequence number
// Input parameters: nEntityIndex The number of the specified object (circle: 0-(lmc1_GetEntityCount ()-1))
// output parameter: name of szEntName object
typedef int ( *LMC1_GETENTITYNAME ) ( int nEntityIndex, wchar_t szEntName[256] );

// Get the dog’s customer ID number
typedef WORD ( *LMC1_GETCLIENTID ) ();

typedef int ( *LMC1_GETCURCOOR ) ( double & x,
                                    double & y ); //

typedef int ( *LMC1_GOTOPOS ) ( double x, double y );
// Get the text of the specified object
typedef int ( *LMC1_GETTEXTBYNAME ) ( wchar_t * strTextName, wchar_t strText[256] );


It’s a good start but it is very tied to the version of EzCad we’re trying to see what the cost of the SDK is, it also seems like the LMC board has a lockout for the SDK mode that has to be unlocked by the EzCad folks, so a bit of a dead end.

Using the DLL is the usual LoadLibrary with GetProcAddress setup.

m_lmc1_LoadEzdFile ( ( LPTSTR ) ( “test.ezd”) );

etc…. Well it’d be nice to get yet more control.

Next lets look at the LMCMIO.dll, after extracting the exports with dumpbin /exports and and then undec to demangle the c++ names.

#ifndef _LMCMIO_H_
#define _LMCMIO_H_ (1)

// charliex
#define API __cdecl

#define tagR struct tagResult

tagR API MIO_AxisGoOrigin(unsigned char device,unsigned short,int,class CWnd *cWnd);

void API MIO_Close(int);
  void API MIO_Close(void);

tagR API MIO_Cmd(unsigned char device,unsigned short,unsigned short,unsigned short,unsigned short,unsigned short,unsigned short);
  tagR API MIO_DisableLaser(unsigned char device);
  tagR API MIO_ENABLEZ(unsigned char device,int);

int API MIO_EarseEpprom(unsigned char device);
  int API MIO_EleExecute(unsigned char device,char *,void *,unsigned long,void *,unsigned long,unsigned long &);

tagR API MIO_EnableLaser(unsigned char device);

int API MIO_EppromGetMark(unsigned char device,unsigned char * const);
  int API MIO_EppromSetMark(unsigned char device,unsigned char * const);
  int API MIO_EppromSetTimeStamp(unsigned char device);

tagR API MIO_ExecuteList(unsigned char device);
  tagR API MIO_GetAxisPos(unsigned char device,unsigned short);
  struct _GUID API MIO_GetClassGUID(void);

void * API MIO_GetDevHandle(int);

tagR API MIO_GetFlyWaitCount(unsigned char device,int,long &);
  tagR API MIO_GetListStatus(unsigned char device);
  tagR API MIO_GetLmcInfo(unsigned short * const);

int API MIO_GetLmcPartNo(unsigned char device,unsigned short &,unsigned short &);

tagR API MIO_GetMarkCount(unsigned char device,int,long &);
  tagR API MIO_GetPositionXY(unsigned char device);
  tagR API MIO_GetSerialNo(unsigned char device);
  tagR API MIO_GetState(unsigned char device);
  tagR API MIO_GetVersion(unsigned char device,unsigned short);
  tagR API MIO_GotoXY(unsigned char device,unsigned short x,unsigned short y);
  tagR API MIO_IPG_GetStMO_AP(unsigned char device);
  tagR API MIO_IPG_OpenMO(unsigned char device,int);
tagR API MIO_LaserSignalOff(unsigned char device);
  tagR API MIO_LaserSignalOn(unsigned char device);

int API MIO_ModifyEpprom(unsigned char device);

tagR API MIO_MoveAxisTo(unsigned char device,unsigned short,unsigned long,class CWnd *cwnd);
  tagR API MIO_NewCmd(unsigned char device,unsigned short *,unsigned long);

int API MIO_NxpGetDevelopNum(unsigned char device,void *,unsigned long);
  int API MIO_Open(int);
  int API MIO_OpenNewDev(void);
  int API MIO_ReadAllEpprom(unsigned char device,void *,unsigned long);
  int API MIO_ReadEpprom(unsigned char device,void *,unsigned long);
  int API MIO_ReadNxp(unsigned char device,void *,unsigned long);

tagR API MIO_ReadPort(unsigned char device);
  tagR API MIO_Reset(unsigned char device);
  tagR API MIO_ResetList(unsigned char device);
  tagR API MIO_RestartList(unsigned char device);
  tagR API MIO_SETZDATA(unsigned char device,unsigned char,unsigned char,unsigned short);
  tagR API MIO_SetAxisMotionParam(unsigned char device,unsigned short,unsigned short);
  tagR API MIO_SetAxisOriginParam(unsigned char device,unsigned short,unsigned short);
  tagR API MIO_SetControlMode(unsigned char device,unsigned short);
  tagR API MIO_SetDelayMode(unsigned char device,unsigned short);
  tagR API MIO_SetEndOfList(unsigned char device);
  tagR API MIO_SetFirstPulseKiller(unsigned char device,unsigned short);
  tagR API MIO_SetFlyRes(unsigned char device,unsigned short,unsigned short,unsigned short,unsigned short,unsigned short);
  tagR API MIO_SetFpkParam2(unsigned char device,unsigned short,unsigned short,unsigned short,unsigned short);
  tagR API MIO_SetFpkParam(unsigned char device,unsigned short,unsigned short,unsigned short,unsigned short);
  tagR API MIO_SetLaserMode(unsigned char device,unsigned short);

int API MIO_SetLmcPartNo(unsigned char device,unsigned short,unsigned short);
  tagR API MIO_SetMaxPolyDelay(unsigned char device,unsigned short);
  tagR API MIO_SetPwmHalfPeriod(unsigned char device,unsigned short);
  tagR API MIO_SetPwmPulseWidth(unsigned char device,unsigned short);
  tagR API MIO_SetSPISimmerCurrent(unsigned char device,unsigned short,int);
  tagR API MIO_SetStandby(unsigned char device,unsigned short,unsigned short,int);

int API MIO_SetSysParam(unsigned char device,unsigned char *,unsigned int,unsigned char *,unsigned int);

tagR API MIO_SetTiming(unsigned char device,unsigned short);
  tagR API MIO_StopExecute(unsigned char device);
  tagR API MIO_StopList(unsigned char device);
  tagR API MIO_TransferDataZ(unsigned char device,unsigned short *,unsigned long);
  tagR API MIO_Verify(unsigned char device);
  tagR API MIO_WriteAnalogPort1(unsigned char device,unsigned short);
  tagR API MIO_WriteAnalogPort2(unsigned char device,unsigned short);
  tagR API MIO_WriteAnalogPortX(unsigned char device,unsigned short,unsigned short);
  tagR API MIO_WriteCmdBuf(unsigned char device,struct tagLmcCmd *);
  tagR API MIO_WriteCorTable(unsigned char device,int,unsigned short (* const);[65][2]);

int API MIO_WriteEpprom(unsigned char device,void *,unsigned long);
  int API MIO_WriteNxp(unsigned char device,void *,unsigned long);

tagR API MIO_WritePort(unsigned char device,unsigned short,unsigned short);


Lots of interesting stuff there, C++ and C,  this looks like the last interface to the LMC1 board, there is also the LMC1.dll

Processing it in the same way , we see this.

public: __thiscall CLaserParamExtOutput::CLaserParamExtOutput(void) public: __thiscall CLmcDev::CLmcDev(class CLmcDev const &) public: __thiscall CLmcDev::CLmcDev(void) public: __thiscall CQComByte::CQComByte(class CQComByte const &) public: __thiscall CQComByte::CQComByte(void) public: __thiscall CLaserParamExtOutput::~CLaserParamExtOutput(void) public: __thiscall CLmcDev::~CLmcDev(void) public: virtual __thiscall CQComByte::~CQComByte(void) public: class CLaserParamExtOutput & __thiscall CLaserParamExtOutput::operator=(class CLaserParamExtOutput const &) public: class CLmcDev & __thiscall CLmcDev::operator=(class CLmcDev const &) public: class CQComByte & __thiscall CQComByte::operator=(class CQComByte const &) const CLmcDev::`vftable' const CQComByte::`vftable' public: int __thiscall CLmcDev::AddCmd(unsigned short,unsigned short,unsigned short,unsigned short,unsigned short,unsigned short) public: void __thiscall CQComByte::Answer(unsigned char *,int) public: int __thiscall CLmcDev::AppendNullCmd(void) public: int __thiscall CLmcDev::AppendNullCmdAndRun(void) public: int __thiscall CQComByte::Ask(unsigned char *,unsigned long,int) public: int __thiscall CQComByte::AskAnswerStop(unsigned char *,unsigned long,unsigned char) public: int __thiscall CQComByte::AskStr(class CString,int) public: int __thiscall CLmcDev::AxisGotoOrigin(int,int) public: int __thiscall CLmcDev::AxisMoveTo(int,double,int,int) public: int __thiscall CLmcDev::AxisMoveToDlg(int,double,int,int) public: int __thiscall CLmcDev::AxisMoveToGoal(int,int,int,int) public: double __thiscall CLmcDev::CalcJumpTime(double,unsigned short &) public: int __thiscall CLmcDev::ChangeEnt(class CEntity *) public: int __thiscall CLmcDev::CheckDevelopNumber(void) public: int __thiscall CLmcDev::CheckLaserState(int) public: void __thiscall CLaserParamExtOutput::Clear(void) public: void __thiscall CLmcDev::ClearLockInputPort(void) public: int __thiscall CLmcDev::Co2QuickPulseModeLine(class CArray<class Pt2d,class Pt2d &> &,int,double,double) public: int __thiscall CQComByte::Connect(void) protected: void __thiscall CLmcDev::D2P(int const &,double const &,unsigned short &)const public: void __thiscall CLmcDev::D2P(double const &,double const &,unsigned short &,unsigned short &)const public: int __thiscall CLmcDev::D2P_X(double const &)const public: int __thiscall CLmcDev::D2P_Y(double const &)const public: void __thiscall CQComByte::Destroy(void) public: void __thiscall CLmcDev::DestroyExcelCor(void) public: void __thiscall CQComByte::DisConnect(void) public: int __thiscall CLmcDev::EleExecute(char *,void *,unsigned long,void *,unsigned long,unsigned long &) public: void __thiscall CQComByte::EmptyAnswerBuf(void) public: void __thiscall CLmcDev::EnableLockInputPort(int) public: void __thiscall CLmcDev::ExcelCor(double &,double &) public: int __thiscall CLmcDev::ExeCurCmd(int) public: int __thiscall CLmcDev::ExecMarkCmdFile(int) public: int __thiscall CLmcDev::ExtAxisGetCurPos(int) public: int __thiscall CLmcDev::ExtAxisGotoOrigin(int) public: int __thiscall CLmcDev::ExtAxisMoveToPos(int,int,double,double,double) public: virtual int __thiscall CLmcDev::FinishMark(void) public: void __thiscall CQComByte::GetAnswer(unsigned char *,int,int &) public: int __thiscall CLmcDev::GetAxisCoorInt(int const &) public: class CString __thiscall CLmcDev::GetBoardHardInfoString(void) public: int __thiscall CLmcDev::GetCardNo(void)const public: int __thiscall CLmcDev::GetCardSN(void)const public: int __thiscall CLmcDev::GetCardState(unsigned short &) public: double __thiscall CLmcDev::GetCoor(int const &) public: int __thiscall CLmcDev::GetCurCmdNum(void) public: unsigned short __thiscall CLmcDev::GetCurOutPortData(void) public: int __thiscall CLmcDev::GetCurPosition(double &,double &) public: unsigned short __thiscall CLmcDev::GetDevState(void) protected: double __thiscall CLmcDev::GetDistMap(int const &,unsigned short const &)const public: class Pt2d __thiscall CLmcDev::GetExcelCorPt(class Pt2d) public: int __thiscall CLmcDev::GetFiberStateCode(void) public: void __thiscall CLmcDev::GetFieldOffset(double &,double &) public: int __thiscall CLmcDev::GetFlyPulseCount55(int,unsigned short &) public: int __thiscall CLmcDev::GetFlySpeed(double,double &) public: int __thiscall CLmcDev::GetFlyWaitCount(int,int &) public: int __thiscall CLmcDev::GetHardwareVer(unsigned short &,unsigned short &) public: int __thiscall CLmcDev::GetIOBoardType(void) public: int __thiscall CLmcDev::GetLaserStateErrCode(void) public: int __thiscall CLmcDev::GetLmcBoardNo(unsigned short &,unsigned short &) public: int __thiscall CLmcDev::GetLockInputPort(unsigned short &) public: int __thiscall CLmcDev::GetMarkCount(int,int &) public: int __thiscall CLmcDev::GetMarkTime(int &,int &,int &,int &) public: double __thiscall CLmcDev::GetMaxCurrent(void) public: double __thiscall CLmcDev::GetMaxPowerRatio(void) protected: unsigned short __thiscall CLmcDev::GetPluseMap(int const &,double const &)const public: double __thiscall CLmcDev::GetRealMap(double,double,double * const) public: int __thiscall CLmcDev::GetState(unsigned short &) public: unsigned short __thiscall CLmcDev::GetStopSignal(void) public: int __thiscall CLmcDev::GetUserData(unsigned short &,unsigned short &) public: int __thiscall CLmcDev::Goto(double,double) protected: int __thiscall CLmcDev::GotoOriginKernal(int,int) public: int __thiscall CLmcDev::IPGGetConfigExtend(int,unsigned short &,unsigned short &) public: int __thiscall CLmcDev::IPGGetPrepump(int &) public: int __thiscall CLmcDev::IPGGetPulseWidth(int &) public: int __thiscall CLmcDev::IPGGetPulseWidthMaxIndex(int &) public: int __thiscall CLmcDev::IPGGetPulseWidthPs(int &) public: int __thiscall CLmcDev::IPGSetConfigExtend(int,int) public: int __thiscall CLmcDev::IPGSetPrepump(int) public: int __thiscall CLmcDev::IPGSetPulseWidth(int) public: int __thiscall CLmcDev::IPGSetPulseWidthIndex(int) public: int __thiscall CLmcDev::IPGSetPulseWidthPs(int) public: void __thiscall CLmcDev::IPG_CloseMO(void) public: int __thiscall CLmcDev::IPG_GetStateMO_AP(unsigned short &) public: void __thiscall CLmcDev::IPG_OpenMO(void) public: int __thiscall CLmcDev::InitCfgExcelCor(struct LmcCfg *) public: int __thiscall CLmcDev::InitGetBoardHardInfo(void) public: int __thiscall CLmcDev::InitLmc(int,int) public: int __thiscall CLmcDev::InitZData(double *,unsigned long *,int,unsigned long,int) public: int __thiscall CLmcDev::InitZDataEx(double *,unsigned long *,int,int) public: int __thiscall CQComByte::IsAnswered(void) public: int __thiscall CLmcDev::IsAxisGoHome(int) public: int __thiscall CLmcDev::IsAxisInOrigin(int) public: int __thiscall CLmcDev::IsBoardSupportFun(int) public: int __thiscall CQComByte::IsConnect(void) public: int __thiscall CLmcDev::IsEntWillChange(class CEntity *) public: virtual int __thiscall CLmcDev::IsEsc(void) public: int __thiscall CLmcDev::IsExtAxisInOrigin(int,int) public: int __thiscall CLmcDev::IsMustDestroyDog(void) public: void __thiscall CLmcDev::IsSleepTimeCloseLaser(void) public: int __thiscall CLmcDev::IsStartExeList(void) public: int __thiscall CLmcDev::IsValidDev(void) public: int __thiscall CLmcDev::LaserLeakHandle(int) public: void __thiscall CLmcDev::LaserSignalOn(int) public: int __thiscall CLmcDev::MM2P(int const &,double const &)const public: int __thiscall CLmcDev::MarkBarcodePointMode(class CEntity *,int,double,double,class CMatrix2d *) public: int __thiscall CLmcDev::MarkEnt(class CEntity *,int,double,double,class CMatrix2d *) public: int __thiscall CLmcDev::MarkEntArray(class CEntity *,int,double,double,class CMatrix2d *) public: int __thiscall CLmcDev::MarkLineArray(class CArray<class Pt2d,class Pt2d &> &,double,double) public: int __thiscall CLmcDev::MarkWobble(class CArray<class Pt2d,class Pt2d &> &,double,double,double,double) public: int __thiscall CLmcDev::NewCmd(unsigned short *,int,unsigned short &,unsigned short &) public: struct tagResult __thiscall CLmcDev::New_MIO_AxisGoOrigin(unsigned char,unsigned short,int,class CWnd *) public: struct tagResult __thiscall CLmcDev::New_MIO_MoveAxisTo(unsigned char,unsigned short,unsigned long,class CWnd *) protected: void __thiscall CLmcDev::P2D(int const &,unsigned short const &,double &)const public: void __thiscall CLmcDev::P2D(unsigned short const &,unsigned short const &,double &,double &)const public: double __thiscall CLmcDev::P2D_X(int const &)const public: double __thiscall CLmcDev::P2D_Y(int const &)const public: double __thiscall CLmcDev::P2MM(int const &,int const &)const public: int __thiscall CLmcDev::QS_Digtal_Output(unsigned short,unsigned short) public: int __thiscall CQComByte::ReadCommBlock(unsigned char *,int) public: int __thiscall CLmcDev::ReadCorFile(class CString) public: int __thiscall CLmcDev::ReadPort(unsigned short &) public: virtual int __thiscall CLmcDev::ReadyMark(int) public: int __thiscall CLmcDev::Reset(void) public: virtual int __thiscall CLmcDev::Run(void) public: void __thiscall CLmcDev::SPI_CloseGlobal(void) public: void __thiscall CLmcDev::SPI_OpenGlobal(void) public: void __thiscall CLmcDev::SPI_SetWave(void) public: virtual int __thiscall CLmcDev::ScanBmp(class CEntity *,double,double,class CMatrix2d *) public: int __thiscall CLmcDev::ScanBmpPtBuf(struct BmpScanPt *,int,int,double,double,double) public: int __thiscall CLmcDev::SetAnalog2(unsigned short) public: int __thiscall CLmcDev::SetAxisAccTime(int) public: void __thiscall CLmcDev::SetBoardSNStr(class CString) public: void __thiscall CLmcDev::SetCardNo(int,int) public: int __thiscall CLmcDev::SetCo2FPK(int,double,double) public: int __thiscall CLmcDev::SetCurrent(double) public: void __thiscall CLmcDev::SetDevState(unsigned short,int) public: int __thiscall CLmcDev::SetDisableZ(void) public: int __thiscall CLmcDev::SetEnableZ(void) public: int __thiscall CLmcDev::SetFPK(int,int,double,double,int,int) public: int __thiscall CLmcDev::SetFlyRes(int,double,int,int,double,int,int) public: int __thiscall CLmcDev::SetFreqAnalogOutput(int) public: void __thiscall CLmcDev::SetJumpDelayTC(double,double) public: void __thiscall CLmcDev::SetMaxCurrent(double) public: void __thiscall CLmcDev::SetMaxPowerRatio(double) public: void __thiscall CLmcDev::SetOwen(class CWnd *) public: int __thiscall CLmcDev::SetPowerAnalogOutput(double) public: int __thiscall CLmcDev::SetSPISimmerCurrent(double) public: int __thiscall CLmcDev::SetZData(unsigned char,unsigned char,unsigned short) public: void __thiscall CLmcDev::ShowMarkInfo(class CString) public: int __thiscall CLmcDev::StandardMarkLine(class CArray<class Pt2d,class Pt2d &> &,int,double,double,int) public: int __thiscall CLmcDev::StopExecute(void) public: void __thiscall CLmcDev::UpdateCurAxisCoor(int) public: int __thiscall CLmcDev::VarTextElementConnectHostGetAnwser(class CEntSuperText *) public: int __thiscall CQComByte::WaitForAnswer(void) public: int __thiscall CLmcDev::WaitForFinish(void) public: int __thiscall CLmcDev::WaitForMarkFinish(void) public: int __thiscall CLmcDev::WeldLine(class CArray<class Pt2d,class Pt2d &> &,int,double,double) public: int __thiscall CLmcDev::WeldPoint(class CArray<class Pt2d,class Pt2d &> &,int,double,double) public: int __thiscall CQComByte::WriteCommBlock(unsigned char *,unsigned long) public: int __thiscall CLmcDev::WritePort(unsigned short) int __cdecl ctrlGetRaycusState(class CLmcDev *,unsigned short &,int &,int &) int __cdecl ctrlRaycusSetParam(class CLmcDev *,int,int,int) void __cdecl gf_CloseUsbMonitor(void) int __cdecl gf_DlgInputPassword(class CString &) int __cdecl gf_DlgSetCfg(int,class CLmcDev *,struct LmcCfg &,class CWnd *) class CString __cdecl gf_GetLmcCfgPath(void) class CLmcDev * __cdecl gf_GetLmcDev(void) struct tagResult __cdecl gf_GetLmcDevState(class CLmcDev *) void __cdecl gf_InitLmcCfg(struct LmcCfg &) int __cdecl gf_InitUsbMonitor(class CWnd *) int __cdecl gf_ReadLmcCfg(struct LmcCfg &,class CString) void __cdecl gf_RestartMark(void) int __cdecl gf_SaveLmcCfg(struct LmcCfg &,class CString) void __cdecl gf_SetLmcCfgPath(class CString) class CLmcDev * __cdecl gf_SetLmcDev(class CLmcDev *) void __cdecl gf_SetPauseFlag(int) int __cdecl gf_StartMarkDlg(class CString,class CString) int __cdecl gf_UsbMonitorGetNewDevice(void) public: int __thiscall CLmcDev::listChangeMarkCount(int) public: int __thiscall CLmcDev::listDelayTime(int) public: int __thiscall CLmcDev::listDelayTimeUs(int) public: int __thiscall CLmcDev::listDirectLaserSwitch(int) public: int __thiscall CLmcDev::listDirectMarkTo(double,double) public: int __thiscall CLmcDev::listEnableWeldPowerWave(int) public: int __thiscall CLmcDev::listEndOfList(void) public: int __thiscall CLmcDev::listFlyDelay(int) public: int __thiscall CLmcDev::listFlyEnable(int) public: int __thiscall CLmcDev::listFlyEncoderCount(int,int,int,int,int) public: int __thiscall CLmcDev::listIPGOpenMO(int) public: int __thiscall CLmcDev::listIPGPulseWidthIndex(int) public: int __thiscall CLmcDev::listIPGSetConfigExtend(int,int) public: int __thiscall CLmcDev::listIPGSetPrepump(int) public: int __thiscall CLmcDev::listIPGYLPMPulseWidth(int) public: int __thiscall CLmcDev::listIPGYLPMPulseWidthPs(int) public: int __thiscall CLmcDev::listJptSetParam(double,int,double) public: int __thiscall CLmcDev::listJumpSpeed(double) public: int __thiscall CLmcDev::listJumpTo(double,double,int) public: int __thiscall CLmcDev::listLaserExtOutput(int) public: int __thiscall CLmcDev::listLaserOffDelay(int) public: int __thiscall CLmcDev::listLaserOnDelay(int) public: int __thiscall CLmcDev::listLaserOnPoint(double) public: int __thiscall CLmcDev::listMarkCurrent(double) public: int __thiscall CLmcDev::listMarkEndDelay(int) public: int __thiscall CLmcDev::listMarkFreq(int) public: int __thiscall CLmcDev::listMarkPowerRatio(double) public: int __thiscall CLmcDev::listMarkPulseWidth(double) public: int __thiscall CLmcDev::listMarkSpeed(double) public: int __thiscall CLmcDev::listMarkTo(double,double,int) public: int __thiscall CLmcDev::listPolygonDelay(int) public: int __thiscall CLmcDev::listSetAnalogFPK(int,int,double,double,int,int) public: int __thiscall CLmcDev::listSetDaZ(double) public: int __thiscall CLmcDev::listSetDaZWord(unsigned short) public: int __thiscall CLmcDev::listSetMarkParam(struct MarkParam &) public: int __thiscall CLmcDev::listSetWeldPowerWave(int,unsigned short * const,unsigned short * const) public: int __thiscall CLmcDev::listWaitForInput(unsigned short,unsigned short) public: int __thiscall CLmcDev::listWritrPort(unsigned short) void __cdecl lmc_CloseDriver(void) int __cdecl lmc_GetValidDev(class CLmcDev * * const,int &) int __cdecl lmc_OpenDriver(int) public: int __thiscall CLmcDev::lsFlyWaitInput(int,int,int)

Yep, as figured this is a higher level C++ API to talk to LMCMIO.dll etc.

These are all 32 bit windows AFX/MFC dlls, you can tell via the CBitmap/CWnd etc

Some of the basic C funcs are just wrappers that call the MIO, like lmc_OpenDriver is a stub for MIO_Open, there is also a sprinkling of gf_ calls which seems mostly related to setup and configs as well as some utility functions.

DataMgr.dll is the other interesting DLL, that one is heavily tied to EzCad, checking the  LMC board and so on. more of the gf_  and AFX/MFC there interfaces to the barcode generation, Excel and huffman encoding in there too, so it does a lot of the heavy lifting for EzCad.

We’re trying to get the seller (Who has been very helpful so far) to work with us on the cutting issue for the stencils, unfortunately we have to get through all the basic troubleshooting and setup issues that most users will go thru (we did too) but i sent them an example EZD file that shows the issue, so hopefully they can cut it and test it, unfortunately New Year and Corona Virus since they’re in Wuhan….

So not a terrific amount of useful info so far, I was able to write a quick test app to init the system and see about the incompatibilities with the DLLs and different versions  of EzCad , it being a heavily C++ system there are a lot of ABI changes so anytime a vtable, or such changes it’ll break. It’s a lot easier to patch around this for pure C import DLLs.

Turning the file save on for EzCad to allow using it without being connected to the Laser, is useful too.

How to unmangle decorated names

This uses the undocumented unDNameEx function to demangle C++ names from msvc, its what the undname.exe uses, which you can just do a dumpbin /exports and feed the results into as well. First it scans the dll for the exports, then it demangles them. unDNameEx can cause memory issues if not used properly.

// demangler.cpp : This file contains the ‘main’ function. Program execution begins and ends there.


#include <windows.h>

#include <Dbghelp.h>

#pragma comment(lib,"dbghelp.lib")

#include <iostream>

#include <string>

#include <vector>

extern "C" PSTR __cdecl __unDNameEx(

    PSTR output_buffer,

     PCSTR mangled_name,

    DWORD cb,

    void* (__cdecl* memory_et)(DWORD),

    void(__cdecl* memory_free)(void*),

    PSTR(__cdecl* unk_GetParameter)(long i),

    DWORD un_flags


static const DWORD un_dwFlags = UNDNAME_COMPLETE;

static void* __cdecl _dAlloc(ULONG cb)


    return new (std::nothrow) char[cb];


static void __cdecl _dFree(void* p)


    if (p) {

    delete[] p;



static PSTR __cdecl _dGetParameter(long ignore)


    static char none[] = "";

    return none;


bool GetDLLFileExports(const char *szFileName, std::vector<std::string>&pszFunctions)


    HANDLE hFile;

    HANDLE hFileMapping;

    LPVOID lpFileBase;





    if (hFile == INVALID_HANDLE_VALUE) {

        return false;


    hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);

    if (hFileMapping == 0) {


         return false;


    lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);

    if (lpFileBase == 0) {



        return false;


    pImg_DOS_Header = (PIMAGE_DOS_HEADER)lpFileBase;

    pImg_NT_Header = (PIMAGE_NT_HEADERS)((LONG)pImg_DOS_Header + (LONG)pImg_DOS_Header->e_lfanew);

    if (IsBadReadPtr(pImg_NT_Header, sizeof(IMAGE_NT_HEADERS)) || pImg_NT_Header->Signature != IMAGE_NT_SIGNATURE) {




        return false;


    pImg_Export_Dir = (PIMAGE_EXPORT_DIRECTORY)pImg_NT_Header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;

    if (!pImg_Export_Dir) {




        return false;


    pImg_Export_Dir = (PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(pImg_NT_Header, pImg_DOS_Header, (DWORD)pImg_Export_Dir, 0);

    DWORD **ppdwNames = (DWORD **)pImg_Export_Dir->AddressOfNames;

    ppdwNames = (PDWORD*)ImageRvaToVa(pImg_NT_Header, pImg_DOS_Header, (DWORD)ppdwNames, 0);

    if (!ppdwNames) {




        return false;


    unsigned int nNoOfExports = pImg_Export_Dir->NumberOfNames;

    for (unsigned i = 0; i < nNoOfExports; i++) {

        char *szFunc = (PSTR)ImageRvaToVa(pImg_NT_Header, pImg_DOS_Header, (DWORD)* ppdwNames, 0);







    return true;


int main(int argc,char*argv[])      

    if (argc < 2) {

        fprintf(stderr,"need a dll to demangle as first parameter\n");




    if (GetDLLFileExports(argv[1], pszFunctions)) {

        for (auto s : pszFunctions) {

            // undecorate them

            char* pUndecorated = __unDNameEx(

                NULL, s.data(), 0

                , _dAlloc, _dFree, _dGetParameter, un_dwFlags);

            printf("%s;\n", pUndecorated);

            delete[] pUndecorated;




Whats next..

There are a few ways I usually head into this sort of work, RE it all and rebuild, write trace and trampoline DLLS that monitor whats going on, and can inject, google for other people doing it (usually do that one last, but so far haven’t seen one! )

With this project I believe writing a DLL that can trace and intercept the data going via LMCMIO.dll is the way to go, Rohitab’s API Monitor will do a lot there, but a proxy/trampoline/interposer DLL is going to be more useful. So lets do that instead…..

Exit stage left.


Act 1, Scene 2.

(this section is still in editing)

Proxy DLL

Some of the issues with making a proxy C++ DLL are around the name mangling, unlike C you can’t just alias it in the .def  file , which is also useful for pass thru.

The issue is that the linker sees the first @ and treats it as the ordinal or something else and terminates the name, so if the mangled name is ?Foo@@bar in the .DEF file , the linker will spit out ?Foo so when you go to load the dll it’ll fail. One way to fix the issue is to demangle the name and have the proxy DLL use the exact same name, which can be a hassle. So my approach was to post process the DLL to change the name, i’ll swap out @ in the name to $ or something that the DEF file will carry thru to the linker. Then we just post process the DLL to rename that $ back to the @.

Example of the original mangled function name

1    0 00001B60 ?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z

demangled it looks like

struct tagResult API MIO_AxisGoOrigin(unsigned char device,unsigned short,int,class CWnd *cWnd);

so in the proxy DLL .def if you do (the aliased function is also changed but that is typical)

?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z=QMIO_AxisGoOriginAAYAQAUtagResultAAEGHPAVCWndAAAZ @1

But what you’ll get is :-


Which of course isn’t great. compiling it as the demangled should be ok, however name mangling can change so its not always the best way to do it. So with this one, i’m going to replace the @’s with something else and then replace it in the resulting binary instead. It’d be great to find out yet another way, no amount of quoting in the DEF seems to fix it. But the SaR is usually fine.

A proxy DLL simply exports the original function names in its DLL and then internally loads the original DLL which is usually renamed. It then constructs a trampoline to jump to the original function

hL would be the original DLL, and we fetch the pointer to the original function

  p[0] = GetProcAddress(hL, “?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z”);

For x86 you can just inline __asm the jump to the original function. Later on adding extra code to dump what its doing etc. For x64 it’d be an external .asm file. So far all the laser stuff is 32 bits so just covering that for now

extern “C”” {

    void QMIO_AxisGoOriginAAYAQAUtagResultAAEGHPAVCWndAAAZ() {


          {            jmp p[0 * 4]




Whats going on here is a DLL function lives at a memory address, GetProcAddress returns that address in memory. Instead of the original DLLs address we return our functions address, then after we run our code it jumps to the old DLL address and continues the function as normal,  we can snoop, change data skip it. and so on.

DLLs can do some interesting things like we can have it bypass our DLL and jump straight to the original function, in the original DLL as well.

Build the proxy DLL

I have a modified version of https://www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically for this, there is also Proxify 

This the skeleton proxy function for MIO_AxisGoOrigin in LMCIO.DLL, it saves the flags and registers, then prints a message to the internal debug system in windows, then jumps to the original function.

Starting with LMCMIO.dll

// struct tagResult __cdecl MIO_AxisGoOrigin(unsigned char,unsigned short,int,class CWnd *)

// ?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z

extern "C" __declspec(naked) void __E__0__()


    __asm pushad

    __asm pushfd

    OutputDebugStringA("struct tagResult __cdecl MIO_AxisGoOrigin(unsigned char,unsigned short,int,class CWnd *)\n");

    __asm popfd

    __asm popad






This code reads the address of the original function, and stores it for use in the proxy function

procs[E__MIO_AXISGOORIGIN__YA_AUTAGRESULT__EGHPAVCWND___Z] = GetProcAddress(hL,”?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z”);

if( procs[E__MIO_AXISGOORIGIN__YA_AUTAGRESULT__EGHPAVCWND___Z] == NULL ) { OutputDebugStringA("Failed to get proc address ?MIO_AxisG

It replaces the ? and @’s with _ so that it will compiler properly as they are not valid C++ function names and we’ll deal with the binary later.

So stepping back slightly and generating a DLL to show the mangling issue as it appears , making a .DEF file that uses the mangled names


?MIO_AxisGoOrigin@@YA?AUtagResult@@EGHPAVCWnd@@@Z=__E__0__ @1

?MIO_Close@@YAXH@Z=__E__1__ @2

?MIO_Close@@YAXXZ=__E__2__ @3

?MIO_Cmd@@YA?AUtagResult@@EGGGGGG@Z=__E__3__ @4

?MIO_DisableLaser@@YA?AUtagResult@@E@Z=__E__4__ @5

Dumpbin /exports of the proxy.dll we can see the alias to the proxy function.

1    0 00011050 ?MIO_AxisGoOrigin = @ILT+75(___E__0__)

2    1 0001104B ?MIO_Close = @ILT+70(___E__1__)

3    2 00011046 ?MIO_Close = @ILT+65(___E__2__)

4    3 00011073 ?MIO_Cmd = @ILT+110(___E__3__)

5    4 00011055 ?MIO_DisableLaser = @ILT+80(___E__4__)

6    5 0001106E ?MIO_ENABLEZ = @ILT+105(___E__5__)

7    6 00011069 ?MIO_EarseEpprom = @ILT+100(___E__6__)

The typo in the API Earse makes me think of the Fast Show’s ERAS videos.

If we replace the LMCMIO.dll with our proxy, what happens? I’m building it on 2019 but compiling with 2013 toolset.

Renaming the original LMCMIO.dll  to LMCMIOold.dll and copying in the proxy dll to the same folder as EzCad2 and trying it, nothing happens. The app just exits with no warnings, but why?  Well it’s going to be an issue with the DLL name issue mentioned earlier, when windows tries to load functions from our proxy DLL it’ll fail, because the names are wrong, the oridinals are right but its rare anyone loads by index and not name, especially C++, how do we see this?

Windows has plenty of tools for this. We need the windows debugging tools, windbg x84 and gflags.exe. Gflags is going to allow us to turn on the internal DLL load tracing, so that we can see whats happening behind the scenes without any extra work.

Switch on SLS(show loader snaps) mode for EzCad2 and the DLL just so we can watch it later. Don’t forget to turn it off after we’re done as it generates a lot of data and will slow things down.

From the command line

gflags.exe -i EzCad2.exe +sls

gflags.exe –i LMC1.dll +sls

gflags.exe –i LMCMIO.dll +sls

C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\gflags.exe" -i EzCad2.exe +sls

Current Registry Settings for EzCad2.exe executable are: 00000002

    sls – Show Loader Snaps

DLLs also cascade load, that is the app loads a DLL, and that DLL loads another DLL. So I added the snap loader tracer to the LMC1.dll as well. WinDepends is a good place to start poking at DLL load order, as well windbg.

Next load windbgx86 and open the executable, EzCad2.exe.

There are a different modes for DLL loading sometimes its handled by windows on program start, sometimes its explicit code, or delay loading. In this case its being handled by windows so all we have to do is load it into the debugger and we’ll see the issue straight away without actually running EzCad2

Working backwards we can see LMCMIO failed to load

08bc:2130 @ 1440796701 – LdrpHandleOneOldFormatImportDescriptor – ERROR: Snapping the imports from DLL "C:\ezcad\newer\Lmc1.dll" to DLL "C:\ezcad\newer\LMCMIO.dll" failed with status 0xc0000139

08bc:2130 @ 1440796701 – LdrpLoadImportModule – RETURN: Status: 0xc0000139

08bc:2130 @ 1440796701 – LdrpHandleOneOldFormatImportDescriptor – ERROR: Loading "????" from the import table of DLL "C:\ezcad\newer\EzCad2.exe" failed with status 0xc0000139

08bc:2130 @ 1440796701 – LdrpInitializeProcess – ERROR: Walking the import tables of the executable and its static imports failed with status 0xc0000139

08bc:2130 @ 1440796701 – _LdrpInitialize – ERROR: Process initialization failed with status 0xc0000139

08bc:2130 @ 1440796701 – LdrpInitializationFailure – ERROR: Process initialization failed with status 0xc0000139

eax=00000000 ebx=7734206c ecx=0018f928 edx=0018f929 esi=c0000139 edi=7efdd000

eip=7725fcc2 esp=0018fcb0 ebp=0018fd00 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246


7725fcc2 83c404          add     esp,4

Going back in the windbg logs

08bc:2130 @ 1440796701 – LdrpSnapThunk – WARNING: Hint index 0x23 for procedure "?MIO_OpenNewDev@@YAHXZ" in DLL "LMCMIO.dll" is invalid

08bc:2130 @ 1440796701 – LdrpSnapThunk – ERROR: Procedure "?MIO_OpenNewDev@@YAHXZ" could not be located in DLL "LMCMIO.dll"

(8bc.2130): Unknown exception – code c0000139 (first chance)

08bc:2130 @ 1440796701 – LdrpGenericExceptionFilter – ERROR: Function LdrpSnapIAT raised exception 0xc0000139

So it tried to load ?MIO_OpenNewDev@@YAHXZ from LMCMIO.dll which is the proxy DLL (Which this is an expected failure)

Going back to the .DEF file lets look at the function

?MIO_OpenNewDev@@YAHXZ=__E__35__ @36

Thats what it ought to look like, the ordinal is correct but its been terminated at the @@ , lets check whats in the actual DLL

dumpbin /exports LMCMIO.dll

       36   23 00011177 ?MIO_OpenNewDev = @ILT+370(___E__35__)

And there it is, the proxy alias is there , which the = @ILT part. So even though the .DEF is correct, the linker has terminated at the @ because thats the token to specify the ordinal (an ordinal is a numerical index for a function, versus a name)

So now we have to go back and fix this issue. I’ve already modified my dll proxy tool to correct the names in the C++ code (basically replacing the ?/@ with _ ) but the .DEF file still generates the C++ mangled name. I have to next modify the app to also spit out the new names in the .DEF then post process the DLL to put the original C++ mangled names back.

taking a break for dinner….

Post Processing the proxy DLL

After some dinner we restart.

So the plan is to change the proxy dll maker tool to output the sanatised names to the C++ code and the .DEF file, so instead of @ and ? it will substitute them for Q and A then after the DLL is compiled a, make a second tool that parses the original DLL exports and then sanatises them in the same way , read the proxy dll and search and replace the sanatised version with the original…

After modding the dll proxy tool, and compiling it , next is throwing together a quick SAR tool. ugh the double space wordpress html nonsense… i’ll clean it up on a edit pass.

// DLLSar.cpp : This file contains the ‘main’ function. Program execution begins and ends there#include <windows.h>

#include <iostream>

#include <string>

#include <fstream>

#include <streambuf>

#include <algorithm>

#include <vector>

std::vector<std::string> defList;

std::vector<std::string> replaceList;

// list of previously used names this run

std::vector<std::string> previouslyOnSAR;

// list of strings to backlist ( no replacement )

std::vector<std::string> blackListSAR;

bool SAR(const std::string& searchString, const std::string& replaceString, std::string& replaceBuffer)


    bool found = false;

    size_t pos = 0;

    if (searchString.length() != replaceString.length()) {

        std::cout << "bad replace" << std::endl;


        return false;


    // reset

    pos = replaceBuffer.find(searchString);

    while (pos != std::string::npos)


        // replace bufer.

         std::cout << "search = " << searchString << " replace " << replaceString << std::endl;

        replaceBuffer.replace(pos, searchString.size(), replaceString);

        found = true;

        std::cout << "-";

        // find next

        pos = replaceBuffer.find(searchString, pos + replaceString.size());


    return found;


bool exportProcAddresses(void* hModule)


#if defined( _WIN32 )  
    unsigned char* lpBase = reinterpret_cast<unsigned char*>(hModule);

    IMAGE_DOS_HEADER* idhDosHeader = reinterpret_cast<IMAGE_DOS_HEADER*>(lpBase);

    if (idhDosHeader->e_magic == 0x5A4D)


#if defined( _M_IX86 ) 
        IMAGE_NT_HEADERS32* inhNtHeader = reinterpret_cast<IMAGE_NT_HEADERS32*>(lpBase + idhDosHeader->e_lfanew);

#elif defined( _M_AMD64 ) 
        IMAGE_NT_HEADERS64* inhNtHeader = reinterpret_cast<IMAGE_NT_HEADERS64*>(lpBase + idhDosHeader->e_lfanew);

         if (inhNtHeader->Signature == 0x4550)


             IMAGE_EXPORT_DIRECTORY* iedExportDirectory = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(lpBase + inhNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

             std::cout << "Procesing DLL" << std::endl;

            for (register unsigned int uiIter = 0; uiIter < iedExportDirectory->NumberOfNames; ++uiIter)


                char* szNames = reinterpret_cast<char*>(lpBase + reinterpret_cast<unsigned long*>(lpBase + iedExportDirectory->AddressOfNames)[uiIter]);

                //printf("%s\n", szNames);

                if (std::find(blackListSAR.begin(), blackListSAR.end(), szNames) != blackListSAR.end()) {

                    std::cout << "matched " << szNames << " skipped " << std::endl;





            return true;



    std::cerr << "DLL processing failed" << std::endl;

     return false;


bool parseDLL(const char* dllName)


    std::cout << "Parsing " << dllName << std::endl;


    if (!lib) {

        std::cerr << "load lib failed" << std::endl;

        return false;


    // empty the list


    return exportProcAddresses(lib);


std::string sanatise(std::string& name)


    std::string output = name;

    for (uint16_t i = 0; i < name.length(); i++) {

        if (name.at(i) == ‘?’) {

            output.at(i) = ‘Q’;


        if (name.at(i) == ‘@’) {

            output.at(i) = ‘A’;



    return output;


int main(int argc, char* argv[])


    std::string proxyBuffer;

    if (argc < 4) {



    // build list of exports from original DLL

    if (parseDLL(argv[1]) == false) {



    // proxied DLL

    try {

        std::ifstream inputFile(argv[2], std::ios::in | std::ios::binary | std::ios::ate);

        std::vector<char> dataVector(inputFile.tellg());

        inputFile.seekg(0, std::ios::beg);

        inputFile.read(dataVector.data(), dataVector.size());

        proxyBuffer.assign(dataVector.begin(), dataVector.end());


    catch (std::ofstream::failure & readErr)


        std::cerr << "\n\nFail occured when reading from file " << argv[2] << " "

            << readErr.what()

             << std::endl;

        return -3;


    uint16_t index = 0;

    // build list of replacements.

    for (auto originalName : defList) {

        std::cout << originalName << "\n" << sanatise(originalName) << "\n";

        replaceList.push_back( sanatise(originalName));


    index = 0;

    // replace them

    for (auto originalName : defList) {

        if (SAR( replaceList.at(index), originalName, proxyBuffer)) {

            std::cout << "Y";


        else {

            std::cout << "n";




    std::cout << "\n" << "Writing output file " << argv[3] << std::endl;


        try {

            std::ofstream outputFile(argv[3], std::ios::out | std::ios::binary);

            outputFile.write(proxyBuffer.data(), proxyBuffer.length());


        catch (std::ofstream::failure & writeErr) {

            std::cerr << "\nFail occured when writing to the output file " << argv[3] << " "

                 << writeErr.what()

                << std::endl;

             return -2;




After making the changes to the DLL proxy tool, the exports of the DLL now look like this, ( the ?s become Q and the @ becomes an A)

          1    0 00011050 QMIO_AxisGoOriginAAYAQAUtagResultAAEGHPAVCWndAAAZ = @ILT+75(___E__0__)

Running the SAR code using the original dll and proxied dlls as input, and an output name.

Looking at the output file with dumpbin /exports we see its changed as expected

1    0 00001B60

It correctly demangles as well, so lets see if it loads.

Testing in WinDBG X86

Lets try windbgx86 again. making sure to add +sls to the proxy dll with gflags, since it is the actual file that stores those changes and we’ve liekly overwritten it.

ModLoad: 0fe80000 0fea6000   C:\ezcad\newer\LMCMIO.dll

5754:2ecc @ 1448637171 – LdrpMapViewOfSection – RETURN: Status: 0x00000000

5754:2ecc @ 1448637171 – LdrpFindOrMapDll – RETURN: Status: 0x00000000

5754:2ecc @ 1448637171 – LdrpHandleOneOldFormatImportDescriptor – INFO: DLL "C:\ezcad\newer\LMCMIO.dll" imports "KERNEL32.dll"

5754:2ecc @ 1448637171 – LdrpLoadImportModule – ENTER: DLL name: KERNEL32.dll DLL path: C:\ezcad\newer;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\msys64\usr\bin;C:\msys64;C:\msys64\usr\bin;C:\Python36\Scripts\;C:\Python36\;C:\Python37;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.1\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v10.1\libnvvp;C:\Program Files\Git LFS;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\

Great, no errors on Loading so lets try running EzCad2. 

Now we see the debugger spit out the following

int __cdecl MIO_Open(int)

Which is what was expected, it is at least now loading  our trampoline function which is just a simple debug string output for now.

// int __cdecl MIO_Open(int)

// ?MIO_Open@@YAHH@Z

extern "C" __declspec(naked) void __E__34__()


    __asm pushad

    __asm pushfd

    OutputDebugStringA("int __cdecl MIO_Open(int)\n");

    __asm popfd

    __asm popad



        jmp procs[E_QMIO_OPENAAYAHHAZ*4];



OK, so now we are inside our function, the proxy dll is working so far but I initially left in some debug code for testing proxy DLLs that made it keep looping the function. After rebuilding the proxy DLL I ran EzCad2 again in WinDbgx86 and :-


All working and the original DLL is also being called, we can see the debug trace calls to the functions being shown in the debug viewer, SLS is still on so it is much noiser output than normal. 

We can disable SLS for now. Just run gflags with –sls on the exe, and two dlls (Technically I haven’t tried it against the laser module, but trampoline/proxies generally either just work or they crash it is very rarely inbetween)

(3fe8.53a0): Break instruction exception – code 80000003 (first chance)

eax=00000000 ebx=00000000 ecx=94b00000 edx=0008e3c8 esi=fffffffe edi=00000000

eip=772e10a6 esp=0018fb08 ebp=0018fb34 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246


772e10a6 cc              int     3

0:000> g

ModLoad: 75ec0000 75f20000   C:\Windows\SysWOW64\IMM32.DLL

ModLoad: 76d90000 76e5e000   C:\Windows\syswow64\MSCTF.dll

ModLoad: 00c00000 00c38000   C:\Windows\SysWOW64\odbcint.dll

DllMain called


ModLoad: 00c50000 00c5c000   C:\ezcad\newer\LMCMIOOLD.DLL

ModLoad: 70700000 70780000   C:\Windows\SysWOW64\uxtheme.dll

ModLoad: 75fc0000 75fef000   C:\Windows\syswow64\WINTRUST.dll

ModLoad: 75510000 75632000   C:\Windows\syswow64\CRYPT32.dll

ModLoad: 75750000 7575c000   C:\Windows\syswow64\MSASN1.dll

ModLoad: 6f1a0000 6f1a9000   C:\Windows\SysWOW64\hid.dll

int __cdecl MIO_Open(int)

ModLoad: 03080000 031df000   C:\Windows\SysWOW64\ole32.dll

ModLoad: 026f0000 02703000   C:\ezcad\newer\PLUG\AngleRotate.plg

ModLoad: 02730000 02743000   C:\ezcad\newer\PLUG\AngleRotate2.plg

ModLoad: 025a0000 025aa000   C:\ezcad\newer\PLUG\ChangeText.plg

ModLoad: 02750000 02775000   C:\ezcad\newer\PLUG\GlobeMark.plg

ModLoad: 02710000 02720000   C:\ezcad\newer\PLUG\IPGSet.plg

ModLoad: 02780000 02797000   C:\ezcad\newer\PLUG\jczfont.plg

ModLoad: 027a0000 027b2000   C:\ezcad\newer\PLUG\MultiFileMark.plg

ModLoad: 027c0000 027dd000   C:\ezcad\newer\PLUG\MultiPartMark.plg

ModLoad: 02af0000 02b25000   C:\ezcad\newer\PLUG\PowerRuler.plg

ModLoad: 03080000 030a7000   C:\ezcad\newer\PLUG\ReadFace3d.plg

ModLoad: 6b6e0000 6b7a8000   C:\Windows\SysWOW64\OPENGL32.dll

ModLoad: 6d260000 6d282000   C:\Windows\SysWOW64\GLU32.dll

ModLoad: 030b0000 030d3000   C:\ezcad\newer\PLUG\RingMark.plg

ModLoad: 02b40000 02b5b000   C:\ezcad\newer\PLUG\RingTextMark.plg

ModLoad: 030e0000 03102000   C:\ezcad\newer\PLUG\RotaryMark.plg

ModLoad: 02c50000 02c6a000   C:\ezcad\newer\PLUG\RotateText.plg

ModLoad: 03110000 03135000   C:\ezcad\newer\PLUG\Splitmark2.plg

ModLoad: 03140000 03152000   C:\ezcad\newer\PLUG\SuperProject.plg

ModLoad: 70b60000 70cfe000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.DLL

ModLoad: 745b0000 745be000   C:\Windows\SysWOW64\DEVRTL.dll

int __cdecl MIO_Open(int)

struct tagResult __cdecl MIO_GetLmcInfo(unsigned short * const)

struct _GUID __cdecl MIO_GetClassGUID(void)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

void * __cdecl MIO_GetDevHandle(int)

DllMain called


eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=77342100 edi=773420c0

eip=7725fcc2 esp=0018fe70 ebp=0018fe8c iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246


7725fcc2 83c404          add     esp,4

Much less noiser output in the debugger .It also looks like the PLG plugins are actually DLLs since they’re being ModLoaded

We can see now that it is using MIO_Open, MIO_GetLmcInfo, MIO_GetClassGUID, MIO_GetDevHandle

Now I can actually start intercepting the calls and look at the data going by.

Since I was writing the code and the write up at the same time, it is time for another break for the evening and back for the rest of the intercept tomorrow!

So far changes to the proxy making application that can handle C++ name mangling with the post process SAR Tool and a basic Proxy DLL for LMCMIO, as well as figuring out the keyboard F1 and F2 code.

Onto stage 3!

Work in progress

Making a more useful trampoline is pretty straightforward

Add a couple of helper functi0ns that print out parameters, add some global storage (which in a DLL can be a fussy affair but lets start with simple)

static  char temp_buffer[1024];

void dump_ret_param(unsigned int paramindex, unsigned int count, unsigned int offset)


    static  char temp_buffer[1024];

    while (count–) {

        sprintf_s(temp_buffer, sizeof(temp_buffer), "param%d=0x%x, ", paramindex, param[paramindex][offset]);






void dump_return(unsigned int offset)


    static  char temp_buffer[1024];

    sprintf_s(temp_buffer, sizeof(temp_buffer), "returns=0x%x\n", param[0][offset]);



then we can modify the call like this, we replace the return address back to the caller with our own, so the program flow now goes :-

caller –> trampoline –> original function –> back to end of trampoline –> back to caller

we do this so we can know not only the parameters passed in, but any data returned, in this case EAX, since this is autogenerated code it is somewhat terse

there is an array of arrays for the parameters , upto 20, and an array of return addresses since functions may be called in parallel or from other areas of the dll etc. recursive calls will need something more sophisticated.

extern "C" __declspec(naked) void __E__34__()

     __asm pushad

    __asm pushfd

    // fetch out the return address

    __asm mov eax, [esp + 0x24]

    __asm mov returnAddress[E_QMIO_OPENAAYAHHAZ * 4], eax

    // fetch out the passed in parameter and store it in the param array

    __asm {    
        mov         ecx,2                                //param index

         imul        eax,ecx, (E_NUM_PROCS * 4)

        mov         edx, E_QMIO_OPENAAYAHHAZ

        mov            ebx, [esp + 0x28]

        mov         dword ptr param[eax + (edx * 4)],ebx


    // overwrite the stack ptrs return address, with our return address becase we want to know what the return value is

    __asm mov eax, jump_E_QMIO_OPENAAYAHHAZ

    __asm mov [esp + 0x24],eax

    OutputDebugStringA("int __cdecl MIO_Open(int) ");


    __asm popfd

    __asm popad



        jmp procs[E_QMIO_OPENAAYAHHAZ*4];



    __asm pushad

    __asm pushfd

    // show the return code from eax

    __asm mov param[E_QMIO_OPENAAYAHHAZ * 4], eax


    __asm popfd

    __asm popad

    /// back to original caller code

    __asm jmp returnAddress[E_QMIO_OPENAAYAHHAZ * 4]


Eakins Camera hackery pokery and the legend of MeasureTwice

After picking up an auto focus Eakins camera for PCB inspection and so on. I adapted my test app MeasureTwice which came from a history of wanting to measure where two holes were for a CNC operation the app grew as they do into my catchall app for inspection work.

I’ve wanted to add an XY table to it so i can capture a PCB or item larger than the view and within the workable ROI of the lense and be sharp, I finally got around to adding the X stage with a stepper on a screw and  track then added a USB control for it, ported in the control code to MT so that it can move the track back and forth.



Since the camera has autofocus , auto exposure etc. it’s desirable to control them from my MT app so i can fix them before starting a scan.

First things first is to pop open the camera and take a look, there’s a 3 pin connector internally that is a 3.3V Serial port called J50


popped out the board, 8 screws, slide out the assembly disconnect the fpc/ffc’s, Soldered in 3 wires (i cut up an old Samsung usb cable since they’re nicely made) added a zip tie as a strain relief



Serial port J50 looks like this square pad, round, round

[]- RX



The square pad I’d usually expect to see as ground, but there we go.



We used the power LED hole to pass the cable back through


and remounted the camera


Next step is to connect it to a USB 3.3V serial adapter

popping that open at 115Kbaud gives us a u-boot and log of the Linux boot.

U-Boot 2010.06 (Nov 22 2016 – 16:36:06)

NAND:  Check nand flash controller v610. found
Special NAND id table Version 1.36
Nand ID: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
No NAND device found!!!
0 MiB
Check spi flash controller v350… Found
Spi(cs1) ID: 0xC2 0x20 0x19 0xC2 0x20 0x19
Spi(cs1): Block:64KB Chip:32MB Name:”MX25L 256/257 35 E/F”
*** Warning – bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
USB:   scanning bus for devices… 2 USB Device(s) found
0 Storage Device(s) found
32768 KiB hi_sfc at 0:0 is now current device

## Booting kernel from Legacy Image at 82000000 …
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2986672 Bytes = 2.8 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image … OK

Starting kernel …

Uncompressing Linux… done, booting the kernel.
Booting Linux on physical CPU 0
Linux version 3.4.35 (root@linux-5w9i) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v300) ) #2 Fri Jan 13 17:00:54 CST 2017
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: hi3516a
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: mem=128M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:1M(boot),3M(kernel),26M(rootfs)
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 124028k/124028k available, 7044k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 – 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 – 0xfffe0000   ( 896 kB)
    vmalloc : 0xc8800000 – 0xff000000   ( 872 MB)
    lowmem  : 0xc0000000 – 0xc8000000   ( 128 MB)
    modules : 0xbf000000 – 0xc0000000   (  16 MB)
      .text : 0xc0008000 – 0xc054a000   (5384 kB)
      .init : 0xc054a000 – 0xc056c434   ( 138 kB)
      .data : 0xc056e000 – 0xc059d800   ( 190 kB)
       .bss : 0xc059d824 – 0xc05bc9f8   ( 125 kB)
SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
sched_clock: 32 bits at 49MHz, resolution 20ns, wraps every 86767ms
Console: colour dummy device 80×30
Calibrating delay loop… 1196.85 BogoMIPS (lpj=5984256)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Initializing cgroup subsys freezer
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x8041e4a8 – 0x8041e500
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 40) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 41) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
hi-spi-master hi-spi-master.0: with 1 chip select slaves attached
hi-spi-master hi-spi-master.1: with 3 chip select slaves attached
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource timer0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NFS: Registering the id_resolver key type
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.18)
SGI XFS with security attributes, large block/inode numbers, no debug enabled
msgmni has been set to 242
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
brd: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xC2 0x20 0x19 0xC2 0x20 0x19
SPI nor flash boot mode is 3 Bytes
spi size: 32MB
chip num: 1
3 cmdlinepart partitions found on MTD device hi_sfc
3 cmdlinepart partitions found on MTD device hi_sfc
Creating 3 MTD partitions on “hi_sfc”:
0x000000000000-0x000000100000 : “boot”
0x000000100000-0x000000400000 : “kernel”
0x000000400000-0x000001e00000 : “rootfs”
Found Nand Flash Controller V610.
Nand ID: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
No NAND device found
Higmac dma_sg_phy: 0x87a00000
higmac_mdio_bus: probed
PHY mdio0:01 not found
ETH0: rgmii, phy_addr=1, mii_name=mdio0
ehci_hcd: USB 2.0 ‘Enhanced’ Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 53, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 ‘Open’ Host Controller (OHCI) Driver
hiusb-ohci hiusb-ohci.0: HIUSB OHCI
hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2
hiusb-ohci hiusb-ohci.0: irq 54, io mem 0x100a0000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
hisi_i2c hisi_i2c.0: Hisilicon [i2c-0] probed!
hisi_i2c hisi_i2c.1: Hisilicon [i2c-1] probed!
hisi_i2c hisi_i2c.2: Hisilicon [i2c-2] probed!
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
Registering the dns_resolver key type
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
mmc0: new high speed SDXC card at address aaaa
mmcblk0: mmc0:aaaa SE64G 59.4 GiB
mmcblk0: p1
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing init memory: 136K
usb 2-1: new low-speed USB device number 2 using hiusb-ohci
input: Dell Dell USB Optical Mouse as /devices/platform/hiusb-ohci.0/usb2/2-1/2-1:1.0/input/input0
generic-usb 0003:413C:3012.0001: input: USB HID v1.11 Mouse [Dell Dell USB Optical Mouse] on usb-hiusb-ohci-1/input0
[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
Not recognise ACTION:change
Not recognise ACTION:change
Not recognise ACTION:change
[RCS]: /etc/init.d/S80network
[RCS]: /etc/init.d/S90hibernate
Password for ‘root’ changed
Auto login as root …
Jan  1 00:00:02 login[905]: root login on ‘ttyS000’

Welcome to HiLinux.
None of nfsroot found in cmdline.
His3516a_LoadDrivers Start…..!
~ # Hisilicon Media Memory Zone Manager
Module himedia: init ok
hi3516a_base: module license ‘Proprietary’ taints kernel.
Disabling lock debugging due to kernel taint
load sys.ko for Hi3516A…OK!
load tde.ko …OK!
load region.ko ….OK!
load vgs.ko for Hi3516A…OK!
ISP Mod init!
load viu.ko for Hi3516A…OK!
load vpss.ko ….OK!
load vou.ko ….OK!
load hifb.ko OK!
load rc.ko for Hi3516A…OK!
load venc.ko for Hi3516A…OK!
load chnl.ko for Hi3516A…OK!
load h264e.ko for Hi3516A…OK!
load h265e.ko for Hi3516A…OK!
load jpege.ko for Hi3516A…OK!
load vda.ko ….OK!
load ive.ko for Hi3516A…OK!
hi3516a_io driver init start
hi3516a_io driver init successful!
af pi level:0
af move steps:330
af move steps:320 10
insmod: can’t insert ‘/komod/extdrv/wdt.ko’: No such file or directory
*** Board tools : ver0.0.1_20121120 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0050: 0x00000000 –> 0x00000001
*** Board tools : ver0.0.1_20121120 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0054: 0x00000000 –> 0x00000001
*** Board tools : ver0.0.1_20121120 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0058: 0x00000000 –> 0x00000001
*** Board tools : ver0.0.1_20121120 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f005c: 0x00000000 –> 0x00000001
*** Board tools : ver0.0.1_20121120 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x2003002c: 0x00090007 –> 0x00090007
init phy power successful!
load hi_mipi driver successful!
hi3516a_io driver init start
His3516a_LoadDrivers Finish…..!
***COPYRIGHT 2016 tagye technology****
DATE:Nov  1 2018,TIME:16:36:05
linear mode
–IMX290 1080P 60fps LINE Init OK!—-
Entering the cmos_fps_set!
vout start finish
Entering the cmos_fps_set!
open success:fd0 ===== 3
transmit error, int_raw_status: 0x750!

tx_abrt_cause is 1.

we can see the camera sensor model, iMX290 and the hi3516a processor, the tagye tech guys seem to have a patent on microscope digital zooming so they may supply the software.

no root password needed, though in the /mm.sh script it changes the password for root at every boot


#ifconfig eth0
#mount -t nfs -o nolock -o tcp  /mnt

echo “root:tagye1207” | chpasswd

ulimit -c 9999
ulimit -c 9999

mount -t vfat /dev/mmcblk0p1  /mnt/sdcard

export HOME=’/root’
export LD_LIBRARY_PATH=’/usr/local/lib:/usr/lib:/qt_lib’
export LOGNAME=’root’
export OLDPWD=’/qt_lib’
export PATH=’/usr/bin:/usr/sbin:/bin:/sbin’
export PWD=’/opt’
export QT_PLUGIN_PATH=’/qt_lib/plugins’
export QT_QWS_FONTDIR=’/qt_lib/fonts’
export QWS_DISPLAY=’LinuxFb:/dev/fb0′
export TERM=’vt100′
export USER=’root’

/opt/3516a_proc &
/opt/myTest_8.17 -qws -fn DejaVuSans.ttf &

so now there is a shell, there isn’t a lot going on there are two apps running one is handling the im290 setup and auto focus, the other handles the gui for the mouse. unfortunately there are no network usb driver .ko’s so sticking with serial at the moment.

the dev board for the 3516 has a gmac on it, so that is likely what the dev is using with the commented out ifconfig

/opt/3516a_proc &
/opt/myTest_8.17 -qws -fn DejaVuSans.ttf &

i pop on a arm7l version of  strace and  can now see the myTest app talking to a local socket at /tmp/UNIX.domain and /tmp/UNIX.domain1

connect(15, {sa_family=AF_LOCAL, sun_path=”/tmp/UNIX.domain1″}, 110) = 0
connect(16, {sa_family=AF_LOCAL, sun_path=”/tmp/UNIX.domain”}, 110) = 0

clicking buttons shows a write to socket 16, /tmp/UNIX.domain

write(16, “\7\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100
write(16, “\7\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100

write(16, “\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100
write(16, “\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100


3516a_proc is the one that controls the camera which looks like via i2c , the other mrTest is a QT app that does the overlay and then communicates with the 3516 app  with an AF_LOCAL IPC socket.

so instead of going back and forth with a fiddly sdcard, i grabbed lrsrz source code setup an ARM7L cross compiler on a lightsail instance and built it, transferred it to the sdcard and booted up the camera, now i can just use TeraTerm to ZMODEM upload over the serial console.

/mnt/sdcard # lrz -b -Z –c -y
lrz waiting to receive.**B0100000023be50

binary, zmodem with checksum and overwrite(clobber)

it is now slightly less of a hassle to transfer files to and from the camera, building the .ko for a usb ethernet adapter I’ll tackle later

pop up the camera UI set AF mode


from the strace before i believe \7 is the MF command

next is a very quick test app

#include <stdio.h>
#include <stddef.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>

#define SOCK_CLOEXEC 02000000UL

int main()
        struct sockaddr_un tolog;
        int sock = socket(AF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0);
        tolog.sun_family = AF_UNIX;
        strcpy(tolog.sun_path, “/tmp/UNIX.domain”);
        connect(sock, (struct sockaddr*)&tolog, sizeof(struct sockaddr_un));
        return 0;

compile it, pass it over to the serial app vi lxz and ,kill the mYtest app, then run our test app

connect(3, {sa_family=AF_LOCAL, sun_path=”/tmp/UNIX.domain”}, 110) = 0
write(3, “\7\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100
close(3)                                = 0
exit_group(-1093076012)                 = ?

re-run the myTest app

/opt/myTest_8.17 -qws -fn DejaVuSans.ttf

make sure you set the exports from the /mm.sh script first or the app will complain.


and it has changed to manual focus mode, neat!

ok lets double check with something else


might as well try to change it to B&W mode, so lets strace the command

this seems like a good candidate

write(16, “\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100

next to modify the test app (add \36 to the start of the buffer, compile, upload,and strace it

connect(3, {sa_family=AF_LOCAL, sun_path=”/tmp/UNIX.domain”}, 110) = 0
write(3, “\36\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100
close(3)                                = 0
exit_group(-1091580860)                 = ?

and yup it switches to B&W mode


ok so it seems like we’re going the right way so far. not everything in the GUI works like this I don’t believe, but if i can get AE/MF up and down focus control, and AE off and on it’ll be a good start. if its all just one or two bytes to set modes, it’d be trivial to adapt the app to just pass in the command on the argv and poke at it.

Leaving the myTest app running there is no problem with multiple applications talking to that local IPC socket, other than if you manage to write multiple things at once that conflict and the GUI will get  out of sync if you change things programmatically that are toggles, since the GUI is unaware of what you did.

next step is to catalogue the commands, then later start looking at the main application.

and on to add more features to the always growing MeasureTwice app…

Sometimes i’ll add the strace, others just the first byte

(these are out of date now use the github link https://github.com/charlie-x/eakins-camera )

Auto Focus

write(16, “\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100

Click focus


Manual Focus

write(16, “\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100

B&W on



write(15, “\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.000826>


write(15, “\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.006507>


write(15, “\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0″…, 100) = 100 <0.001343>

click Capture

write(15, “\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.000385>


write(15, “\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.000899>


write(15, “\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.000908>

Clicking HDR

write(15, “\23\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, 100) = 100 <0.001058>

Sliding MF slider in MF mode, so write \10and then a position ( i changed strace to dump in hex here)

write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xeb\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002519>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.007700>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf4\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.007004>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002271>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.008654>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002378>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.003269>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002288>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002283>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002493>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.006618>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002643>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.015587>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002530>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002634>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002608>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002951>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.003195>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.007897>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.010341>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002574>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002904>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.027182>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002345>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.007582>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.005741>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002418>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002833>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.014942>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.116899>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002403>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.010266>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.014076>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002584>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.024927>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.007165>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002472>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.120134>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4f\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.002780>
write(15, “\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x77\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.105966>

clicking 50/60Hz

Entering the cmos_fps_set!
write(15, “\x1b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″…, 100) = 100 <0.000859>

A bit of the old Heath Robinson going on but its a start,  also planning to add a Y stage.


If you wanted to rewrite the GUI app its just doing the above with a straight up  /dev/fb0 and QT and then overlaying the crosshairs etc.

/dev/fb0 is a hardware overlay over the cameras sensor, copying urandom onto /dev/fb0 , moving mouse around erases the fb0, but the background stays regardless


now that i can control the camera i can do a focus stack capture, which just means controlling the focus of the camera either by mocing it up and down or by moving the AF motor, so lets do that.

first figure out the range that the object is in focus at near and far plane. in my case 140 to 155

step from 140 to 155 and capture image each step.

serial in to the shell, add the talk app , insert an sd-card

for var in `seq 140 155`; do ./talk p $var ; ./talk C ; done


quick focus stack result with 15 steps

some results

camera view

after focus stack


test apps and source at


Created a .ko for the r8152 USB to ethernet adapter, and it works.

/mnt/sdcard # insmod ./r8152.ko
usbcore: registered new interface driver r8152
/mnt/sdcard #
/mnt/sdcard # usb 1-1: reset high-speed USB device number 3 using hiusb-ehci
r8152 1-1:1.0: eth0: v2.12.0 (2019/04/29)
r8152 1-1:1.0: eth0: This product is covered by one or more of the following patents:
                US6,570,884, US6,115,776, and US6,327,625.


/mnt/sdcard # ifconfig
eth0      Link encap:Ethernet  HWaddr 70:88:6B:86:3F:97
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1540 (1.5 KiB)  TX bytes:0 (0.0 B)


ifconfig eth0 netmask


/mnt/sdcard # ifconfig
eth0      Link encap:Ethernet  HWaddr 70:88:6B:86:3F:97
          inet addr:  Bcast:  Mask:
          RX packets:135 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
           RX bytes:12590 (12.2 KiB)  TX bytes:0 (0.0 B)


[C:\Program Files\JPSoft\TCMD17x64]ping


Pinging with 32 bytes of data:
Reply from bytes=32 time=1ms TTL=64
Reply from bytes=32 time=1ms TTL=64


Just started to add an Eagle BRD overlay, load the BRD in and it’ll draw the tracks/vias etc.